mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-08-10 18:54:08 +02:00
Code Issues Releases Wiki Activity

[ticket/16690] Fix htmlspecialchars and htmlspecialchars_decode default flag

Browse Source 
PHPBB3-16690
This commit is contained in:
rxu
2021-01-20 00:01:20 +07:00
parent ddf5de8349
commit 2fd4dbb685
73 changed files with 206 additions and 206 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
phpBB/includes/acp/acp_attachments.php
View File

@@ -759,7 +759,7 @@ class acp_attachments
continue;
}
$filename_list .= '<option value="' . htmlspecialchars($img) . '"' . $selected . '>' . htmlspecialchars($img) . '</option>';
$filename_list .= '<option value="' . htmlspecialchars($img, ENT_COMPAT) . '"' . $selected . '>' . htmlspecialchars($img, ENT_COMPAT) . '</option>';
}
}

6
phpBB/includes/acp/acp_bbcodes.php
View File

@@ -62,7 +62,7 @@ class acp_bbcodes
}
$bbcode_match = $row['bbcode_match'];
$bbcode_tpl = htmlspecialchars($row['bbcode_tpl']);
$bbcode_tpl = htmlspecialchars($row['bbcode_tpl'], ENT_COMPAT);
$display_on_posting = $row['display_on_posting'];
$bbcode_helpline = $row['bbcode_helpline'];
break;
@@ -86,7 +86,7 @@ class acp_bbcodes
$display_on_posting = $request->variable('display_on_posting', 0);
$bbcode_match = $request->variable('bbcode_match', '');
$bbcode_tpl = htmlspecialchars_decode($request->variable('bbcode_tpl', '', true));
$bbcode_tpl = htmlspecialchars_decode($request->variable('bbcode_tpl', '', true), ENT_COMPAT);
$bbcode_helpline = $request->variable('bbcode_helpline', '', true);
break;
}
@@ -334,7 +334,7 @@ class acp_bbcodes
'action' => $action,
'bbcode' => $bbcode_id,
'bbcode_match' => $bbcode_match,
'bbcode_tpl' => htmlspecialchars($bbcode_tpl),
'bbcode_tpl' => htmlspecialchars($bbcode_tpl, ENT_COMPAT),
'bbcode_helpline' => $bbcode_helpline,
'display_on_posting' => $display_on_posting,
)))

4
phpBB/includes/acp/acp_board.php
View File

@@ -719,8 +719,8 @@ class acp_board
$messenger->set_addresses($user->data);
$messenger->anti_abuse_headers($config, $user);
$messenger->assign_vars(array(
'USERNAME' => htmlspecialchars_decode($user->data['username']),
'MESSAGE' => htmlspecialchars_decode($request->variable('send_test_email_text', '', true)),
'USERNAME' => htmlspecialchars_decode($user->data['username'], ENT_COMPAT),
'MESSAGE' => htmlspecialchars_decode($request->variable('send_test_email_text', '', true), ENT_COMPAT),
));
$messenger->send(NOTIFY_EMAIL);

4
phpBB/includes/acp/acp_email.php
View File

@@ -205,7 +205,7 @@ class acp_email
$email_template = 'admin_send_email';
$template_data = array(
'CONTACT_EMAIL' => phpbb_get_board_contact($config, $phpEx),
'MESSAGE' => htmlspecialchars_decode($message),
'MESSAGE' => htmlspecialchars_decode($message, ENT_COMPAT),
);
$generate_log_entry = true;
@@ -252,7 +252,7 @@ class acp_email
$messenger->anti_abuse_headers($config, $user);
$messenger->subject(htmlspecialchars_decode($subject));
$messenger->subject(htmlspecialchars_decode($subject, ENT_COMPAT));
$messenger->set_mail_priority($priority);
$messenger->assign_vars($template_data);

4
phpBB/includes/acp/acp_help_phpbb.php
View File

@@ -90,7 +90,7 @@ class acp_help_phpbb
if (!empty($response))
{
$decoded_response = json_decode(htmlspecialchars_decode($response), true);
$decoded_response = json_decode(htmlspecialchars_decode($response, ENT_COMPAT), true);
if ($decoded_response && isset($decoded_response['status']) && $decoded_response['status'] == 'ok')
{
@@ -126,7 +126,7 @@ class acp_help_phpbb
}
$template->assign_block_vars('providers', array(
'NAME' => htmlspecialchars($provider),
'NAME' => htmlspecialchars($provider, ENT_COMPAT),
));
foreach ($data as $key => $value)

2
phpBB/includes/acp/acp_icons.php
View File

@@ -693,7 +693,7 @@ class acp_icons
foreach ($_paks as $pak)
{
$pak_options .= '<option value="' . $pak . '">' . htmlspecialchars($pak) . '</option>';
$pak_options .= '<option value="' . $pak . '">' . htmlspecialchars($pak, ENT_COMPAT) . '</option>';
}
$template->assign_vars(array(

4
phpBB/includes/acp/acp_inactive.php
View File

@@ -130,7 +130,7 @@ class acp_inactive
$messenger->anti_abuse_headers($config, $user);
$messenger->assign_vars(array(
'USERNAME' => htmlspecialchars_decode($row['username']))
'USERNAME' => htmlspecialchars_decode($row['username'], ENT_COMPAT))
);
$messenger->send(NOTIFY_EMAIL);
@@ -224,7 +224,7 @@ class acp_inactive
$messenger->anti_abuse_headers($config, $user);
$messenger->assign_vars(array(
'USERNAME' => htmlspecialchars_decode($row['username']),
'USERNAME' => htmlspecialchars_decode($row['username'], ENT_COMPAT),
'REGISTER_DATE' => $user->format_date($row['user_regdate'], false, true),
'U_ACTIVATE' => generate_board_url() . "/ucp.$phpEx?mode=activate&u=" . $row['user_id'] . '&k=' . $row['user_actkey'])
);

4
phpBB/includes/acp/acp_language.php
View File

@@ -274,7 +274,7 @@ class acp_language
$lang_pack = array(
'iso' => $lang_iso,
'name' => trim(htmlspecialchars($file[0])),
'name' => trim(htmlspecialchars($file[0], ENT_COMPAT)),
'local_name'=> trim(htmlspecialchars($file[1], ENT_COMPAT, 'UTF-8')),
'author' => trim(htmlspecialchars($file[2], ENT_COMPAT, 'UTF-8'))
);
@@ -420,7 +420,7 @@ class acp_language
foreach ($new_ary as $iso => $lang_ary)
{
$template->assign_block_vars('notinst', array(
'ISO' => htmlspecialchars($lang_ary['iso']),
'ISO' => htmlspecialchars($lang_ary['iso'], ENT_COMPAT),
'LOCAL_NAME' => htmlspecialchars($lang_ary['local_name'], ENT_COMPAT, 'UTF-8'),
'NAME' => htmlspecialchars($lang_ary['name'], ENT_COMPAT, 'UTF-8'),
'U_INSTALL' => $this->u_action . '&amp;action=install&amp;iso=' . urlencode($lang_ary['iso']) . '&amp;hash=' . generate_link_hash('acp_language'))

2
phpBB/includes/acp/acp_logs.php
View File

@@ -108,7 +108,7 @@ class acp_logs
$sql_sort = $sort_by_sql[$sort_key] . ' ' . (($sort_dir == 'd') ? 'DESC' : 'ASC');
$keywords = $request->variable('keywords', '', true);
$keywords_param = !empty($keywords) ? '&amp;keywords=' . urlencode(htmlspecialchars_decode($keywords)) : '';
$keywords_param = !empty($keywords) ? '&amp;keywords=' . urlencode(htmlspecialchars_decode($keywords, ENT_COMPAT)) : '';
$l_title = $user->lang['ACP_' . strtoupper($mode) . '_LOGS'];
$l_title_explain = $user->lang['ACP_' . strtoupper($mode) . '_LOGS_EXPLAIN'];

6
phpBB/includes/acp/acp_ranks.php
View File

@@ -70,7 +70,7 @@ class acp_ranks
'rank_title' => $rank_title,
'rank_special' => $special_rank,
'rank_min' => $min_posts,
'rank_image' => htmlspecialchars_decode($rank_image)
'rank_image' => htmlspecialchars_decode($rank_image, ENT_COMPAT)
);
/**
@@ -206,7 +206,7 @@ class acp_ranks
continue;
}
$filename_list .= '<option value="' . htmlspecialchars($img) . '"' . $selected . '>' . $img . ((in_array($img, $existing_imgs)) ? ' ' . $user->lang['RANK_IMAGE_IN_USE'] : '') . '</option>';
$filename_list .= '<option value="' . htmlspecialchars($img, ENT_COMPAT) . '"' . $selected . '>' . $img . ((in_array($img, $existing_imgs)) ? ' ' . $user->lang['RANK_IMAGE_IN_USE'] : '') . '</option>';
}
}
@@ -221,7 +221,7 @@ class acp_ranks
'RANK_TITLE' => (isset($ranks['rank_title'])) ? $ranks['rank_title'] : '',
'S_FILENAME_LIST' => $filename_list,
'RANK_IMAGE' => ($edit_img) ? $phpbb_root_path . $config['ranks_path'] . '/' . $edit_img : htmlspecialchars($phpbb_admin_path) . 'images/spacer.gif',
'RANK_IMAGE' => ($edit_img) ? $phpbb_root_path . $config['ranks_path'] . '/' . $edit_img : htmlspecialchars($phpbb_admin_path, ENT_COMPAT) . 'images/spacer.gif',
'S_SPECIAL_RANK' => (isset($ranks['rank_special']) && $ranks['rank_special']) ? true : false,
'MIN_POSTS' => (isset($ranks['rank_min']) && !$ranks['rank_special']) ? $ranks['rank_min'] : 0,
);

24
phpBB/includes/acp/acp_styles.php
View File

@@ -205,7 +205,7 @@ class acp_styles
{
if (in_array($dir, $this->reserved_style_names))
{
$messages[] = $this->user->lang('STYLE_NAME_RESERVED', htmlspecialchars($dir));
$messages[] = $this->user->lang('STYLE_NAME_RESERVED', htmlspecialchars($dir, ENT_COMPAT));
continue;
}
@@ -225,12 +225,12 @@ class acp_styles
$found = true;
$installed_names[] = $style['style_name'];
$installed_dirs[] = $style['style_path'];
$messages[] = sprintf($this->user->lang['STYLE_INSTALLED'], htmlspecialchars($style['style_name']));
$messages[] = sprintf($this->user->lang['STYLE_INSTALLED'], htmlspecialchars($style['style_name'], ENT_COMPAT));
}
}
if (!$found)
{
$messages[] = sprintf($this->user->lang['STYLE_NOT_INSTALLED'], htmlspecialchars($dir));
$messages[] = sprintf($this->user->lang['STYLE_NOT_INSTALLED'], htmlspecialchars($dir, ENT_COMPAT));
}
}
@@ -598,7 +598,7 @@ class acp_styles
{
$this->template->assign_block_vars('parent_styles', array(
'STYLE_ID' => $row['style_id'],
'STYLE_NAME' => htmlspecialchars($row['style_name']),
'STYLE_NAME' => htmlspecialchars($row['style_name'], ENT_COMPAT),
'LEVEL' => $row['level'],
'SPACER' => str_repeat('&nbsp; ', $row['level']),
)
@@ -609,9 +609,9 @@ class acp_styles
$this->template->assign_vars(array(
'S_STYLE_DETAILS' => true,
'STYLE_ID' => $style['style_id'],
'STYLE_NAME' => htmlspecialchars($style['style_name']),
'STYLE_PATH' => htmlspecialchars($style['style_path']),
'STYLE_VERSION' => htmlspecialchars($style_cfg['style_version']),
'STYLE_NAME' => htmlspecialchars($style['style_name'], ENT_COMPAT),
'STYLE_PATH' => htmlspecialchars($style['style_path'], ENT_COMPAT),
'STYLE_VERSION' => htmlspecialchars($style_cfg['style_version'], ENT_COMPAT),
'STYLE_COPYRIGHT' => strip_tags($style['style_copyright']),
'STYLE_PARENT' => $style['style_parent_id'],
'S_STYLE_ACTIVE' => $style['style_active'],
@@ -657,7 +657,7 @@ class acp_styles
{
if (empty($style['_shown']))
{
$style['_note'] = sprintf($this->user->lang['REQUIRES_STYLE'], htmlspecialchars($style['style_parent_tree']));
$style['_note'] = sprintf($this->user->lang['REQUIRES_STYLE'], htmlspecialchars($style['style_parent_tree'], ENT_COMPAT));
$this->list_style($style, 0);
}
}
@@ -826,7 +826,7 @@ class acp_styles
{
// Parent style is not installed yet
$style['_available'] = false;
$style['_note'] = sprintf($this->user->lang['REQUIRES_STYLE'], htmlspecialchars($parent));
$style['_note'] = sprintf($this->user->lang['REQUIRES_STYLE'], htmlspecialchars($parent, ENT_COMPAT));
}
}
@@ -966,10 +966,10 @@ class acp_styles
$row = array(
// Style data
'STYLE_ID' => $style['style_id'],
'STYLE_NAME' => htmlspecialchars($style['style_name']),
'STYLE_NAME' => htmlspecialchars($style['style_name'], ENT_COMPAT),
'STYLE_VERSION' => $style_cfg['style_version'] ?? '-',
'STYLE_PHPBB_VERSION' => $style_cfg['phpbb_version'],
'STYLE_PATH' => htmlspecialchars($style['style_path']),
'STYLE_PATH' => htmlspecialchars($style['style_path'], ENT_COMPAT),
'STYLE_COPYRIGHT' => strip_tags($style['style_copyright']),
'STYLE_ACTIVE' => $style['style_active'],
@@ -979,7 +979,7 @@ class acp_styles
'LEVEL' => $level,
'PADDING' => (4 + 16 * $level),
'SHOW_COPYRIGHT' => ($style['style_id']) ? false : true,
'STYLE_PATH_FULL' => htmlspecialchars($this->styles_path_absolute . '/' . $style['style_path']) . '/',
'STYLE_PATH_FULL' => htmlspecialchars($this->styles_path_absolute . '/' . $style['style_path'], ENT_COMPAT) . '/',
// Comment to show below style
'COMMENT' => (isset($style['_note'])) ? $style['_note'] : '',

6
phpBB/includes/acp/acp_users.php
View File

@@ -402,8 +402,8 @@ class acp_users
$messenger->anti_abuse_headers($config, $user);
$messenger->assign_vars(array(
'WELCOME_MSG' => htmlspecialchars_decode(sprintf($user->lang['WELCOME_SUBJECT'], $config['sitename'])),
'USERNAME' => htmlspecialchars_decode($user_row['username']),
'WELCOME_MSG' => htmlspecialchars_decode(sprintf($user->lang['WELCOME_SUBJECT'], $config['sitename']), ENT_COMPAT),
'USERNAME' => htmlspecialchars_decode($user_row['username'], ENT_COMPAT),
'U_ACTIVATE' => "$server_url/ucp.$phpEx?mode=activate&u={$user_row['user_id']}&k=$user_actkey")
);
@@ -466,7 +466,7 @@ class acp_users
$messenger->anti_abuse_headers($config, $user);
$messenger->assign_vars(array(
'USERNAME' => htmlspecialchars_decode($user_row['username']))
'USERNAME' => htmlspecialchars_decode($user_row['username'], ENT_COMPAT))
);
$messenger->send(NOTIFY_EMAIL);

4
phpBB/includes/acp/auth.php
View File

@@ -488,7 +488,7 @@ class auth_admin extends \phpbb\auth\auth
if ($s_role_options)
{
$s_role_options = '<option value="0"' . ((!$current_role_id) ? ' selected="selected"' : '') . ' title="' . htmlspecialchars($user->lang['NO_ROLE_ASSIGNED_EXPLAIN']) . '">' . $user->lang['NO_ROLE_ASSIGNED'] . '</option>' . $s_role_options;
$s_role_options = '<option value="0"' . ((!$current_role_id) ? ' selected="selected"' : '') . ' title="' . htmlspecialchars($user->lang['NO_ROLE_ASSIGNED_EXPLAIN'], ENT_COMPAT) . '">' . $user->lang['NO_ROLE_ASSIGNED'] . '</option>' . $s_role_options;
}
if (!$current_role_id && $mode != 'view')
@@ -585,7 +585,7 @@ class auth_admin extends \phpbb\auth\auth
if ($s_role_options)
{
$s_role_options = '<option value="0"' . ((!$current_role_id) ? ' selected="selected"' : '') . ' title="' . htmlspecialchars($user->lang['NO_ROLE_ASSIGNED_EXPLAIN']) . '">' . $user->lang['NO_ROLE_ASSIGNED'] . '</option>' . $s_role_options;
$s_role_options = '<option value="0"' . ((!$current_role_id) ? ' selected="selected"' : '') . ' title="' . htmlspecialchars($user->lang['NO_ROLE_ASSIGNED_EXPLAIN'], ENT_COMPAT) . '">' . $user->lang['NO_ROLE_ASSIGNED'] . '</option>' . $s_role_options;
}
if (!$current_role_id && $mode != 'view')