mirror of
https://github.com/phpbb/phpbb.git
synced 2025-07-31 14:00:31 +02:00
[ticket/16690] Fix htmlspecialchars and htmlspecialchars_decode default flag
PHPBB3-16690
This commit is contained in:
rxu
@@ -73,7 +73,7 @@ class apache extends base
|
||||
*/
|
||||
public function init()
|
||||
{
|
||||
if (!$this->request->is_set('PHP_AUTH_USER', request_interface::SERVER) || $this->user->data['username'] !== htmlspecialchars_decode($this->request->server('PHP_AUTH_USER')))
|
||||
if (!$this->request->is_set('PHP_AUTH_USER', request_interface::SERVER) || $this->user->data['username'] !== htmlspecialchars_decode($this->request->server('PHP_AUTH_USER'), ENT_COMPAT))
|
||||
{
|
||||
return $this->language->lang('APACHE_SETUP_BEFORE_USE');
|
||||
}
|
||||
@@ -113,8 +113,8 @@ class apache extends base
|
||||
);
|
||||
}
|
||||
|
||||
$php_auth_user = htmlspecialchars_decode($this->request->server('PHP_AUTH_USER'));
|
||||
$php_auth_pw = htmlspecialchars_decode($this->request->server('PHP_AUTH_PW'));
|
||||
$php_auth_user = htmlspecialchars_decode($this->request->server('PHP_AUTH_USER'), ENT_COMPAT);
|
||||
$php_auth_pw = htmlspecialchars_decode($this->request->server('PHP_AUTH_PW'), ENT_COMPAT);
|
||||
|
||||
if (!empty($php_auth_user) && !empty($php_auth_pw))
|
||||
{
|
||||
@@ -180,8 +180,8 @@ class apache extends base
|
||||
return array();
|
||||
}
|
||||
|
||||
$php_auth_user = htmlspecialchars_decode($this->request->server('PHP_AUTH_USER'));
|
||||
$php_auth_pw = htmlspecialchars_decode($this->request->server('PHP_AUTH_PW'));
|
||||
$php_auth_user = htmlspecialchars_decode($this->request->server('PHP_AUTH_USER'), ENT_COMPAT);
|
||||
$php_auth_pw = htmlspecialchars_decode($this->request->server('PHP_AUTH_PW'), ENT_COMPAT);
|
||||
|
||||
if (!empty($php_auth_user) && !empty($php_auth_pw))
|
||||
{
|
||||
|
||||
@@ -83,7 +83,7 @@ class ldap extends base
|
||||
|
||||
if ($this->config['ldap_user'] || $this->config['ldap_password'])
|
||||
{
|
||||
if (!@ldap_bind($ldap, htmlspecialchars_decode($this->config['ldap_user']), htmlspecialchars_decode($this->config['ldap_password'])))
|
||||
if (!@ldap_bind($ldap, htmlspecialchars_decode($this->config['ldap_user'], ENT_COMPAT), htmlspecialchars_decode($this->config['ldap_password'], ENT_COMPAT)))
|
||||
{
|
||||
return $this->language->lang('LDAP_INCORRECT_USER_PASSWORD');
|
||||
}
|
||||
@@ -92,11 +92,11 @@ class ldap extends base
|
||||
// ldap_connect only checks whether the specified server is valid, so the connection might still fail
|
||||
$search = @ldap_search(
|
||||
$ldap,
|
||||
htmlspecialchars_decode($this->config['ldap_base_dn']),
|
||||
htmlspecialchars_decode($this->config['ldap_base_dn'], ENT_COMPAT),
|
||||
$this->ldap_user_filter($this->user->data['username']),
|
||||
(empty($this->config['ldap_email'])) ?
|
||||
array(htmlspecialchars_decode($this->config['ldap_uid'])) :
|
||||
array(htmlspecialchars_decode($this->config['ldap_uid']), htmlspecialchars_decode($this->config['ldap_email'])),
|
||||
array(htmlspecialchars_decode($this->config['ldap_uid'], ENT_COMPAT)) :
|
||||
array(htmlspecialchars_decode($this->config['ldap_uid'], ENT_COMPAT), htmlspecialchars_decode($this->config['ldap_email'], ENT_COMPAT)),
|
||||
0,
|
||||
1
|
||||
);
|
||||
@@ -180,7 +180,7 @@ class ldap extends base
|
||||
|
||||
if ($this->config['ldap_user'] || $this->config['ldap_password'])
|
||||
{
|
||||
if (!@ldap_bind($ldap, htmlspecialchars_decode($this->config['ldap_user']), htmlspecialchars_decode($this->config['ldap_password'])))
|
||||
if (!@ldap_bind($ldap, htmlspecialchars_decode($this->config['ldap_user'], ENT_COMPAT), htmlspecialchars_decode($this->config['ldap_password'], ENT_COMPAT)))
|
||||
{
|
||||
return array(
|
||||
'status' => LOGIN_ERROR_EXTERNAL_AUTH,
|
||||
@@ -192,11 +192,11 @@ class ldap extends base
|
||||
|
||||
$search = @ldap_search(
|
||||
$ldap,
|
||||
htmlspecialchars_decode($this->config['ldap_base_dn']),
|
||||
htmlspecialchars_decode($this->config['ldap_base_dn'], ENT_COMPAT),
|
||||
$this->ldap_user_filter($username),
|
||||
(empty($this->config['ldap_email'])) ?
|
||||
array(htmlspecialchars_decode($this->config['ldap_uid'])) :
|
||||
array(htmlspecialchars_decode($this->config['ldap_uid']), htmlspecialchars_decode($this->config['ldap_email'])),
|
||||
array(htmlspecialchars_decode($this->config['ldap_uid'], ENT_COMPAT)) :
|
||||
array(htmlspecialchars_decode($this->config['ldap_uid'], ENT_COMPAT), htmlspecialchars_decode($this->config['ldap_email'], ENT_COMPAT)),
|
||||
0,
|
||||
1
|
||||
);
|
||||
@@ -205,7 +205,7 @@ class ldap extends base
|
||||
|
||||
if (is_array($ldap_result) && count($ldap_result) > 1)
|
||||
{
|
||||
if (@ldap_bind($ldap, $ldap_result[0]['dn'], htmlspecialchars_decode($password)))
|
||||
if (@ldap_bind($ldap, $ldap_result[0]['dn'], htmlspecialchars_decode($password, ENT_COMPAT)))
|
||||
{
|
||||
@ldap_close($ldap);
|
||||
|
||||
@@ -257,7 +257,7 @@ class ldap extends base
|
||||
$ldap_user_row = array(
|
||||
'username' => $username,
|
||||
'user_password' => '',
|
||||
'user_email' => (!empty($this->config['ldap_email'])) ? utf8_htmlspecialchars($ldap_result[0][htmlspecialchars_decode($this->config['ldap_email'])][0]) : '',
|
||||
'user_email' => (!empty($this->config['ldap_email'])) ? utf8_htmlspecialchars($ldap_result[0][htmlspecialchars_decode($this->config['ldap_email'], ENT_COMPAT)][0]) : '',
|
||||
'group_id' => (int) $row['group_id'],
|
||||
'user_type' => USER_NORMAL,
|
||||
'user_ip' => $this->user->ip,
|
||||
@@ -337,7 +337,7 @@ class ldap extends base
|
||||
*/
|
||||
private function ldap_user_filter($username)
|
||||
{
|
||||
$filter = '(' . $this->config['ldap_uid'] . '=' . $this->ldap_escape(htmlspecialchars_decode($username)) . ')';
|
||||
$filter = '(' . $this->config['ldap_uid'] . '=' . $this->ldap_escape(htmlspecialchars_decode($username, ENT_COMPAT)) . ')';
|
||||
if ($this->config['ldap_user_filter'])
|
||||
{
|
||||
$_filter = ($this->config['ldap_user_filter'][0] == '(' && substr($this->config['ldap_user_filter'], -1) == ')') ? $this->config['ldap_user_filter'] : "({$this->config['ldap_user_filter']})";
|
||||
|
||||
@@ -209,7 +209,7 @@ class activate extends command
|
||||
$messenger->set_addresses($user_row);
|
||||
$messenger->anti_abuse_headers($this->config, $this->user);
|
||||
$messenger->assign_vars(array(
|
||||
'USERNAME' => htmlspecialchars_decode($user_row['username']))
|
||||
'USERNAME' => htmlspecialchars_decode($user_row['username'], ENT_COMPAT))
|
||||
);
|
||||
|
||||
$messenger->send(NOTIFY_EMAIL);
|
||||
|
||||
@@ -312,9 +312,9 @@ class add extends command
|
||||
$messenger->to($this->data['email'], $this->data['username']);
|
||||
$messenger->anti_abuse_headers($this->config, $this->user);
|
||||
$messenger->assign_vars(array(
|
||||
'WELCOME_MSG' => htmlspecialchars_decode($this->language->lang('WELCOME_SUBJECT', $this->config['sitename'])),
|
||||
'USERNAME' => htmlspecialchars_decode($this->data['username']),
|
||||
'PASSWORD' => htmlspecialchars_decode($this->data['new_password']),
|
||||
'WELCOME_MSG' => htmlspecialchars_decode($this->language->lang('WELCOME_SUBJECT', $this->config['sitename']), ENT_COMPAT),
|
||||
'USERNAME' => htmlspecialchars_decode($this->data['username'], ENT_COMPAT),
|
||||
'PASSWORD' => htmlspecialchars_decode($this->data['new_password'], ENT_COMPAT),
|
||||
'U_ACTIVATE' => generate_board_url() . "/ucp.{$this->php_ext}?mode=activate&u=$user_id&k=$user_actkey")
|
||||
);
|
||||
|
||||
|
||||
@@ -983,7 +983,7 @@ abstract class driver implements driver_interface
|
||||
// The DEBUG constant is for development only!
|
||||
if ((isset($auth) && $auth->acl_get('a_')) || defined('IN_INSTALL') || $this->debug_sql_explain)
|
||||
{
|
||||
$message .= ($sql) ? '<br /><br />SQL<br /><br />' . htmlspecialchars($sql) : '';
|
||||
$message .= ($sql) ? '<br /><br />SQL<br /><br />' . htmlspecialchars($sql, ENT_COMPAT) : '';
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -997,7 +997,7 @@ abstract class driver implements driver_interface
|
||||
{
|
||||
if (!empty($config['board_contact']))
|
||||
{
|
||||
$message .= '<br /><br />' . sprintf($user->lang['SQL_ERROR_OCCURRED'], '<a href="mailto:' . htmlspecialchars($config['board_contact']) . '">', '</a>');
|
||||
$message .= '<br /><br />' . sprintf($user->lang['SQL_ERROR_OCCURRED'], '<a href="mailto:' . htmlspecialchars($config['board_contact'], ENT_COMPAT) . '">', '</a>');
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -1061,7 +1061,7 @@ abstract class driver implements driver_interface
|
||||
<meta charset="utf-8">
|
||||
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
||||
<title>SQL Report</title>
|
||||
<link href="' . htmlspecialchars($phpbb_path_helper->update_web_root_path($phpbb_root_path) . $phpbb_path_helper->get_adm_relative_path()) . 'style/admin.css" rel="stylesheet" type="text/css" media="screen" />
|
||||
<link href="' . htmlspecialchars($phpbb_path_helper->update_web_root_path($phpbb_root_path) . $phpbb_path_helper->get_adm_relative_path(), ENT_COMPAT) . 'style/admin.css" rel="stylesheet" type="text/css" media="screen" />
|
||||
</head>
|
||||
<body id="errorpage">
|
||||
<div id="wrap">
|
||||
@@ -1111,7 +1111,7 @@ abstract class driver implements driver_interface
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td class="row3"><textarea style="font-family:\'Courier New\',monospace;width:99%" rows="5" cols="10">' . preg_replace('/\t(AND|OR)(\W)/', "\$1\$2", htmlspecialchars(preg_replace('/[\s]*[\n\r\t]+[\n\r\s\t]*/', "\n", $query))) . '</textarea></td>
|
||||
<td class="row3"><textarea style="font-family:\'Courier New\',monospace;width:99%" rows="5" cols="10">' . preg_replace('/\t(AND|OR)(\W)/', "\$1\$2", htmlspecialchars(preg_replace('/[\s]*[\n\r\t]+[\n\r\s\t]*/', "\n", $query), ENT_COMPAT)) . '</textarea></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
@@ -1132,7 +1132,7 @@ abstract class driver implements driver_interface
|
||||
else
|
||||
{
|
||||
$error = $this->sql_error();
|
||||
$this->sql_report .= '<b style="color: red">FAILED</b> - ' . $this->sql_layer . ' Error ' . $error['code'] . ': ' . htmlspecialchars($error['message']);
|
||||
$this->sql_report .= '<b style="color: red">FAILED</b> - ' . $this->sql_layer . ' Error ' . $error['code'] . ': ' . htmlspecialchars($error['message'], ENT_COMPAT);
|
||||
}
|
||||
|
||||
$this->sql_report .= '</p><br /><br />';
|
||||
@@ -1197,7 +1197,7 @@ abstract class driver implements driver_interface
|
||||
$color = ($time_db > $time_cache) ? 'green' : 'red';
|
||||
|
||||
$this->sql_report .= '<table cellspacing="1"><thead><tr><th>Query results obtained from the cache</th></tr></thead><tbody><tr>';
|
||||
$this->sql_report .= '<td class="row3"><textarea style="font-family:\'Courier New\',monospace;width:99%" rows="5" cols="10">' . preg_replace('/\t(AND|OR)(\W)/', "\$1\$2", htmlspecialchars(preg_replace('/[\s]*[\n\r\t]+[\n\r\s\t]*/', "\n", $query))) . '</textarea></td></tr></tbody></table>';
|
||||
$this->sql_report .= '<td class="row3"><textarea style="font-family:\'Courier New\',monospace;width:99%" rows="5" cols="10">' . preg_replace('/\t(AND|OR)(\W)/', "\$1\$2", htmlspecialchars(preg_replace('/[\s]*[\n\r\t]+[\n\r\s\t]*/', "\n", $query), ENT_COMPAT)) . '</textarea></td></tr></tbody></table>';
|
||||
$this->sql_report .= '<p style="text-align: center;">';
|
||||
$this->sql_report .= 'Before: ' . sprintf('%.5f', $this->curtime - $starttime) . 's | After: ' . sprintf('%.5f', $endtime - $starttime) . 's | Elapsed [cache]: <b style="color: ' . $color . '">' . sprintf('%.5f', ($time_cache)) . 's</b> | Elapsed [db]: <b>' . sprintf('%.5f', $time_db) . 's</b></p><br /><br />';
|
||||
|
||||
|
||||
@@ -117,7 +117,7 @@ class metadata_manager
|
||||
*/
|
||||
public function sanitize_json(&$value, $key)
|
||||
{
|
||||
$value = htmlspecialchars($value);
|
||||
$value = htmlspecialchars($value, ENT_COMPAT);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -418,7 +418,7 @@ class ajax_iohandler extends iohandler_base
|
||||
|
||||
if ($msg !== null)
|
||||
{
|
||||
$link_properties['msg'] = htmlspecialchars_decode($this->language->lang($msg));
|
||||
$link_properties['msg'] = htmlspecialchars_decode($this->language->lang($msg), ENT_COMPAT);
|
||||
}
|
||||
|
||||
$this->download[] = $link_properties;
|
||||
|
||||
@@ -108,7 +108,7 @@ abstract class iohandler_base implements iohandler_interface
|
||||
{
|
||||
if (!is_array($error_title) && strpos($error_title, '<br />') !== false)
|
||||
{
|
||||
$error_title = strip_tags(htmlspecialchars_decode($error_title));
|
||||
$error_title = strip_tags(htmlspecialchars_decode($error_title, ENT_COMPAT));
|
||||
}
|
||||
$this->errors[] = $this->translate_message($error_title, $error_description);
|
||||
}
|
||||
|
||||
@@ -63,7 +63,7 @@ class add_languages extends \phpbb\install\task_base
|
||||
$lang_pack = array(
|
||||
'lang_iso' => $lang_info['iso'],
|
||||
'lang_dir' => $lang_info['iso'],
|
||||
'lang_english_name' => htmlspecialchars($lang_info['name']),
|
||||
'lang_english_name' => htmlspecialchars($lang_info['name'], ENT_COMPAT),
|
||||
'lang_local_name' => htmlspecialchars($lang_info['local_name'], ENT_COMPAT, 'UTF-8'),
|
||||
'lang_author' => htmlspecialchars($lang_info['author'], ENT_COMPAT, 'UTF-8'),
|
||||
);
|
||||
|
||||
@@ -120,8 +120,8 @@ class notify_user extends \phpbb\install\task_base
|
||||
$messenger->to($this->config['board_email'], $this->install_config->get('admin_name'));
|
||||
$messenger->anti_abuse_headers($this->config, $this->user);
|
||||
$messenger->assign_vars(array(
|
||||
'USERNAME' => htmlspecialchars_decode($this->install_config->get('admin_name')),
|
||||
'PASSWORD' => htmlspecialchars_decode($this->install_config->get('admin_passwd')))
|
||||
'USERNAME' => htmlspecialchars_decode($this->install_config->get('admin_name'), ENT_COMPAT),
|
||||
'PASSWORD' => htmlspecialchars_decode($this->install_config->get('admin_passwd'), ENT_COMPAT))
|
||||
);
|
||||
$messenger->send(NOTIFY_EMAIL);
|
||||
}
|
||||
|
||||
@@ -57,7 +57,7 @@ class obtain_server_data extends \phpbb\install\task_base implements \phpbb\inst
|
||||
$server_name = strtolower(htmlspecialchars_decode($this->io_handler->get_header_variable(
|
||||
'Host',
|
||||
$this->io_handler->get_server_variable('SERVER_NAME')
|
||||
)));
|
||||
), ENT_COMPAT));
|
||||
|
||||
// HTTP HOST can carry a port number...
|
||||
if (strpos($server_name, ':') !== false)
|
||||
@@ -65,11 +65,11 @@ class obtain_server_data extends \phpbb\install\task_base implements \phpbb\inst
|
||||
$server_name = substr($server_name, 0, strpos($server_name, ':'));
|
||||
}
|
||||
|
||||
$script_path = htmlspecialchars_decode($this->io_handler->get_server_variable('PHP_SELF'));
|
||||
$script_path = htmlspecialchars_decode($this->io_handler->get_server_variable('PHP_SELF'), ENT_COMPAT);
|
||||
|
||||
if (!$script_path)
|
||||
{
|
||||
$script_path = htmlspecialchars_decode($this->io_handler->get_server_variable('REQUEST_URI'));
|
||||
$script_path = htmlspecialchars_decode($this->io_handler->get_server_variable('REQUEST_URI'), ENT_COMPAT);
|
||||
}
|
||||
|
||||
$script_path = str_replace(array('\\', '//'), '/', $script_path);
|
||||
|
||||
@@ -87,7 +87,7 @@ class obtain_update_ftp_data extends task_base
|
||||
|
||||
$ftp_host = $this->iohandler->get_input('ftp_host', '', true);
|
||||
$ftp_user = $this->iohandler->get_input('ftp_user', '', true);
|
||||
$ftp_pass = htmlspecialchars_decode($this->iohandler->get_input('ftp_pass', '', true));
|
||||
$ftp_pass = htmlspecialchars_decode($this->iohandler->get_input('ftp_pass', '', true), ENT_COMPAT);
|
||||
$ftp_path = $this->iohandler->get_input('ftp_path', '', true);
|
||||
$ftp_port = $this->iohandler->get_input('ftp_port', 21);
|
||||
$ftp_time = $this->iohandler->get_input('ftp_timeout', 10);
|
||||
|
||||
@@ -262,13 +262,13 @@ class message
|
||||
$messenger->headers('X-AntiAbuse: Username - ' . $this->sender_username);
|
||||
}
|
||||
|
||||
$messenger->subject(htmlspecialchars_decode($this->subject));
|
||||
$messenger->subject(htmlspecialchars_decode($this->subject, ENT_COMPAT));
|
||||
|
||||
$messenger->assign_vars(array(
|
||||
'BOARD_CONTACT' => $contact,
|
||||
'TO_USERNAME' => htmlspecialchars_decode($recipient['to_name']),
|
||||
'FROM_USERNAME' => htmlspecialchars_decode($this->sender_name),
|
||||
'MESSAGE' => htmlspecialchars_decode($this->body))
|
||||
'TO_USERNAME' => htmlspecialchars_decode($recipient['to_name'], ENT_COMPAT),
|
||||
'FROM_USERNAME' => htmlspecialchars_decode($this->sender_name, ENT_COMPAT),
|
||||
'MESSAGE' => htmlspecialchars_decode($this->body, ENT_COMPAT))
|
||||
);
|
||||
|
||||
if (count($this->template_vars))
|
||||
|
||||
@@ -122,7 +122,7 @@ class topic_form extends form
|
||||
|
||||
$this->message->set_template('email_notify');
|
||||
$this->message->set_template_vars(array(
|
||||
'TOPIC_NAME' => htmlspecialchars_decode($this->topic_row['topic_title']),
|
||||
'TOPIC_NAME' => htmlspecialchars_decode($this->topic_row['topic_title'], ENT_COMPAT),
|
||||
'U_TOPIC' => generate_board_url() . '/viewtopic.' . $this->phpEx . '?f=' . $this->topic_row['forum_id'] . '&t=' . $this->topic_id,
|
||||
));
|
||||
$this->message->set_body($this->body);
|
||||
|
||||
@@ -150,7 +150,7 @@ class admin_activate_user extends \phpbb\notification\type\base
|
||||
$username = $this->user_loader->get_username($this->item_id, 'username');
|
||||
|
||||
return array(
|
||||
'USERNAME' => htmlspecialchars_decode($username),
|
||||
'USERNAME' => htmlspecialchars_decode($username, ENT_COMPAT),
|
||||
'U_USER_DETAILS' => "{$board_url}/memberlist.{$this->php_ext}?mode=viewprofile&u={$this->item_id}",
|
||||
'U_ACTIVATE' => "{$board_url}/ucp.{$this->php_ext}?mode=activate&u={$this->item_id}&k={$this->get_data('user_actkey')}",
|
||||
);
|
||||
|
||||
@@ -120,7 +120,7 @@ class disapprove_post extends \phpbb\notification\type\approve_post
|
||||
public function get_email_template_variables()
|
||||
{
|
||||
return array_merge(parent::get_email_template_variables(), array(
|
||||
'REASON' => htmlspecialchars_decode($this->get_data('disapprove_reason')),
|
||||
'REASON' => htmlspecialchars_decode($this->get_data('disapprove_reason'), ENT_COMPAT),
|
||||
));
|
||||
}
|
||||
|
||||
|
||||
@@ -120,7 +120,7 @@ class disapprove_topic extends \phpbb\notification\type\approve_topic
|
||||
public function get_email_template_variables()
|
||||
{
|
||||
return array_merge(parent::get_email_template_variables(), array(
|
||||
'REASON' => htmlspecialchars_decode($this->get_data('disapprove_reason')),
|
||||
'REASON' => htmlspecialchars_decode($this->get_data('disapprove_reason'), ENT_COMPAT),
|
||||
));
|
||||
}
|
||||
|
||||
|
||||
@@ -130,10 +130,10 @@ class forum extends \phpbb\notification\type\post
|
||||
}
|
||||
|
||||
return [
|
||||
'AUTHOR_NAME' => htmlspecialchars_decode($username),
|
||||
'FORUM_NAME' => htmlspecialchars_decode(censor_text($this->get_data('forum_name'))),
|
||||
'POST_SUBJECT' => htmlspecialchars_decode(censor_text($this->get_data('post_subject'))),
|
||||
'TOPIC_TITLE' => htmlspecialchars_decode(censor_text($this->get_data('topic_title'))),
|
||||
'AUTHOR_NAME' => htmlspecialchars_decode($username, ENT_COMPAT),
|
||||
'FORUM_NAME' => htmlspecialchars_decode(censor_text($this->get_data('forum_name')), ENT_COMPAT),
|
||||
'POST_SUBJECT' => htmlspecialchars_decode(censor_text($this->get_data('post_subject')), ENT_COMPAT),
|
||||
'TOPIC_TITLE' => htmlspecialchars_decode(censor_text($this->get_data('topic_title')), ENT_COMPAT),
|
||||
|
||||
'U_VIEW_POST' => generate_board_url() . "/viewtopic.{$this->php_ext}?p={$this->item_id}#p{$this->item_id}",
|
||||
'U_NEWEST_POST' => generate_board_url() . "/viewtopic.{$this->php_ext}?f={$this->get_data('forum_id')}&t={$this->item_parent_id}&e=1&view=unread#unread",
|
||||
|
||||
@@ -133,8 +133,8 @@ class group_request extends \phpbb\notification\type\base
|
||||
$user_data = $this->user_loader->get_user($this->item_id);
|
||||
|
||||
return array(
|
||||
'GROUP_NAME' => htmlspecialchars_decode($this->get_data('group_name')),
|
||||
'REQUEST_USERNAME' => htmlspecialchars_decode($user_data['username']),
|
||||
'GROUP_NAME' => htmlspecialchars_decode($this->get_data('group_name'), ENT_COMPAT),
|
||||
'REQUEST_USERNAME' => htmlspecialchars_decode($user_data['username'], ENT_COMPAT),
|
||||
|
||||
'U_PENDING' => generate_board_url() . "/ucp.{$this->php_ext}?i=groups&mode=manage&action=list&g={$this->item_parent_id}",
|
||||
'U_GROUP' => generate_board_url() . "/memberlist.{$this->php_ext}?mode=group&g={$this->item_parent_id}",
|
||||
|
||||
@@ -164,8 +164,8 @@ class pm extends \phpbb\notification\type\base
|
||||
$user_data = $this->user_loader->get_user($this->get_data('from_user_id'));
|
||||
|
||||
return array(
|
||||
'AUTHOR_NAME' => htmlspecialchars_decode($user_data['username']),
|
||||
'SUBJECT' => htmlspecialchars_decode(censor_text($this->get_data('message_subject'))),
|
||||
'AUTHOR_NAME' => htmlspecialchars_decode($user_data['username'], ENT_COMPAT),
|
||||
'SUBJECT' => htmlspecialchars_decode(censor_text($this->get_data('message_subject')), ENT_COMPAT),
|
||||
|
||||
'U_VIEW_MESSAGE' => generate_board_url() . '/ucp.' . $this->php_ext . "?i=pm&mode=view&p={$this->item_id}",
|
||||
);
|
||||
|
||||
@@ -262,9 +262,9 @@ class post extends \phpbb\notification\type\base
|
||||
}
|
||||
|
||||
return array(
|
||||
'AUTHOR_NAME' => htmlspecialchars_decode($username),
|
||||
'POST_SUBJECT' => htmlspecialchars_decode(censor_text($this->get_data('post_subject'))),
|
||||
'TOPIC_TITLE' => htmlspecialchars_decode(censor_text($this->get_data('topic_title'))),
|
||||
'AUTHOR_NAME' => htmlspecialchars_decode($username, ENT_COMPAT),
|
||||
'POST_SUBJECT' => htmlspecialchars_decode(censor_text($this->get_data('post_subject')), ENT_COMPAT),
|
||||
'TOPIC_TITLE' => htmlspecialchars_decode(censor_text($this->get_data('topic_title')), ENT_COMPAT),
|
||||
|
||||
'U_VIEW_POST' => generate_board_url() . "/viewtopic.{$this->php_ext}?p={$this->item_id}#p{$this->item_id}",
|
||||
'U_NEWEST_POST' => generate_board_url() . "/viewtopic.{$this->php_ext}?f={$this->get_data('forum_id')}&t={$this->item_parent_id}&e=1&view=unread#unread",
|
||||
|
||||
@@ -168,7 +168,7 @@ class quote extends \phpbb\notification\type\post
|
||||
$user_data = $this->user_loader->get_user($this->get_data('poster_id'));
|
||||
|
||||
return array_merge(parent::get_email_template_variables(), array(
|
||||
'AUTHOR_NAME' => htmlspecialchars_decode($user_data['username']),
|
||||
'AUTHOR_NAME' => htmlspecialchars_decode($user_data['username'], ENT_COMPAT),
|
||||
));
|
||||
}
|
||||
|
||||
|
||||
@@ -143,11 +143,11 @@ class report_pm extends \phpbb\notification\type\pm
|
||||
$user_data = $this->user_loader->get_user($this->get_data('from_user_id'));
|
||||
|
||||
return [
|
||||
'AUTHOR_NAME' => htmlspecialchars_decode($user_data['username']),
|
||||
'SUBJECT' => htmlspecialchars_decode(censor_text($this->get_data('message_subject'))),
|
||||
'AUTHOR_NAME' => htmlspecialchars_decode($user_data['username'], ENT_COMPAT),
|
||||
'SUBJECT' => htmlspecialchars_decode(censor_text($this->get_data('message_subject')), ENT_COMPAT),
|
||||
|
||||
/** @deprecated 3.2.6-RC1 (to be removed in 4.0.0) use {SUBJECT} instead in report_pm.txt */
|
||||
'TOPIC_TITLE' => htmlspecialchars_decode(censor_text($this->get_data('message_subject'))),
|
||||
'TOPIC_TITLE' => htmlspecialchars_decode(censor_text($this->get_data('message_subject')), ENT_COMPAT),
|
||||
|
||||
'U_VIEW_REPORT' => generate_board_url() . "/mcp.{$this->php_ext}?r={$this->item_parent_id}&i=pm_reports&mode=pm_report_details",
|
||||
];
|
||||
|
||||
@@ -104,9 +104,9 @@ class report_pm_closed extends \phpbb\notification\type\pm
|
||||
$closer_data = $this->user_loader->get_username($this->get_data('closer_id'), 'username');
|
||||
|
||||
return [
|
||||
'AUTHOR_NAME' => htmlspecialchars_decode($sender_data['username']),
|
||||
'CLOSER_NAME' => htmlspecialchars_decode($closer_data['username']),
|
||||
'SUBJECT' => htmlspecialchars_decode(censor_text($this->get_data('message_subject'))),
|
||||
'AUTHOR_NAME' => htmlspecialchars_decode($sender_data['username'], ENT_COMPAT),
|
||||
'CLOSER_NAME' => htmlspecialchars_decode($closer_data['username'], ENT_COMPAT),
|
||||
'SUBJECT' => htmlspecialchars_decode(censor_text($this->get_data('message_subject')), ENT_COMPAT),
|
||||
|
||||
'U_VIEW_MESSAGE'=> generate_board_url() . "/ucp.{$this->php_ext}?i=pm&mode=view&p={$this->item_id}",
|
||||
];
|
||||
|
||||
@@ -110,8 +110,8 @@ class report_post extends \phpbb\notification\type\post_in_queue
|
||||
$board_url = generate_board_url();
|
||||
|
||||
return array(
|
||||
'POST_SUBJECT' => htmlspecialchars_decode(censor_text($this->get_data('post_subject'))),
|
||||
'TOPIC_TITLE' => htmlspecialchars_decode(censor_text($this->get_data('topic_title'))),
|
||||
'POST_SUBJECT' => htmlspecialchars_decode(censor_text($this->get_data('post_subject')), ENT_COMPAT),
|
||||
'TOPIC_TITLE' => htmlspecialchars_decode(censor_text($this->get_data('topic_title')), ENT_COMPAT),
|
||||
|
||||
'U_VIEW_REPORT' => "{$board_url}/mcp.{$this->php_ext}?f={$this->get_data('forum_id')}&p={$this->item_id}&i=reports&mode=report_details#reports",
|
||||
'U_VIEW_POST' => "{$board_url}/viewtopic.{$this->php_ext}?p={$this->item_id}#p{$this->item_id}",
|
||||
|
||||
@@ -111,10 +111,10 @@ class report_post_closed extends \phpbb\notification\type\post
|
||||
$closer_username = $this->user_loader->get_username($this->get_data('closer_id'), 'username');
|
||||
|
||||
return [
|
||||
'AUTHOR_NAME' => htmlspecialchars_decode($post_username),
|
||||
'CLOSER_NAME' => htmlspecialchars_decode($closer_username),
|
||||
'POST_SUBJECT' => htmlspecialchars_decode(censor_text($this->get_data('post_subject'))),
|
||||
'TOPIC_TITLE' => htmlspecialchars_decode(censor_text($this->get_data('topic_title'))),
|
||||
'AUTHOR_NAME' => htmlspecialchars_decode($post_username, ENT_COMPAT),
|
||||
'CLOSER_NAME' => htmlspecialchars_decode($closer_username, ENT_COMPAT),
|
||||
'POST_SUBJECT' => htmlspecialchars_decode(censor_text($this->get_data('post_subject')), ENT_COMPAT),
|
||||
'TOPIC_TITLE' => htmlspecialchars_decode(censor_text($this->get_data('topic_title')), ENT_COMPAT),
|
||||
|
||||
'U_VIEW_POST' => generate_board_url() . "/viewtopic.{$this->php_ext}?p={$this->item_id}#p{$this->item_id}",
|
||||
];
|
||||
|
||||
@@ -217,9 +217,9 @@ class topic extends \phpbb\notification\type\base
|
||||
}
|
||||
|
||||
return array(
|
||||
'AUTHOR_NAME' => htmlspecialchars_decode($username),
|
||||
'FORUM_NAME' => htmlspecialchars_decode($this->get_data('forum_name')),
|
||||
'TOPIC_TITLE' => htmlspecialchars_decode(censor_text($this->get_data('topic_title'))),
|
||||
'AUTHOR_NAME' => htmlspecialchars_decode($username, ENT_COMPAT),
|
||||
'FORUM_NAME' => htmlspecialchars_decode($this->get_data('forum_name'), ENT_COMPAT),
|
||||
'TOPIC_TITLE' => htmlspecialchars_decode(censor_text($this->get_data('topic_title')), ENT_COMPAT),
|
||||
|
||||
'U_TOPIC' => "{$board_url}/viewtopic.{$this->php_ext}?f={$this->item_parent_id}&t={$this->item_id}",
|
||||
'U_VIEW_TOPIC' => "{$board_url}/viewtopic.{$this->php_ext}?f={$this->item_parent_id}&t={$this->item_id}",
|
||||
|
||||
@@ -163,7 +163,7 @@ class plupload
|
||||
'S_PLUPLOAD' => true,
|
||||
'FILTERS' => $filters,
|
||||
'CHUNK_SIZE' => $chunk_size,
|
||||
'S_PLUPLOAD_URL' => htmlspecialchars_decode($s_action),
|
||||
'S_PLUPLOAD_URL' => htmlspecialchars_decode($s_action, ENT_COMPAT),
|
||||
'MAX_ATTACHMENTS' => $max_files,
|
||||
'ATTACH_ORDER' => ($this->config['display_order']) ? 'asc' : 'desc',
|
||||
'L_TOO_MANY_ATTACHMENTS' => $this->user->lang('TOO_MANY_ATTACHMENTS', $max_files),
|
||||
|
||||
@@ -232,7 +232,7 @@ class fulltext_mysql extends \phpbb\search\base
|
||||
}
|
||||
|
||||
// Filter out as above
|
||||
$split_keywords = preg_replace("#[\n\r\t]+#", ' ', trim(htmlspecialchars_decode($keywords)));
|
||||
$split_keywords = preg_replace("#[\n\r\t]+#", ' ', trim(htmlspecialchars_decode($keywords, ENT_COMPAT)));
|
||||
|
||||
// Split words
|
||||
$split_keywords = preg_replace('#([^\p{L}\p{N}\'*"()])#u', '$1$1', str_replace('\'\'', '\' \'', trim($split_keywords)));
|
||||
@@ -597,7 +597,7 @@ class fulltext_mysql extends \phpbb\search\base
|
||||
|
||||
$sql = "SELECT $sql_select
|
||||
FROM $sql_from$sql_sort_table" . POSTS_TABLE . " p
|
||||
WHERE MATCH ($sql_match) AGAINST ('" . $this->db->sql_escape(htmlspecialchars_decode($this->search_query)) . "' IN BOOLEAN MODE)
|
||||
WHERE MATCH ($sql_match) AGAINST ('" . $this->db->sql_escape(htmlspecialchars_decode($this->search_query, ENT_COMPAT)) . "' IN BOOLEAN MODE)
|
||||
$sql_where_options
|
||||
ORDER BY $sql_sort";
|
||||
$this->db->sql_return_on_error(true);
|
||||
|
||||
@@ -204,7 +204,7 @@ class fulltext_postgres extends \phpbb\search\base
|
||||
}
|
||||
|
||||
// Filter out as above
|
||||
$split_keywords = preg_replace("#[\"\n\r\t]+#", ' ', trim(htmlspecialchars_decode($keywords)));
|
||||
$split_keywords = preg_replace("#[\"\n\r\t]+#", ' ', trim(htmlspecialchars_decode($keywords, ENT_COMPAT)));
|
||||
|
||||
// Split words
|
||||
$split_keywords = preg_replace('#([^\p{L}\p{N}\'*"()])#u', '$1$1', str_replace('\'\'', '\' \'', trim($split_keywords)));
|
||||
|
||||
@@ -1045,7 +1045,7 @@ class fulltext_sphinx
|
||||
</dl>
|
||||
<dl>
|
||||
<dt><label for="fulltext_sphinx_config_file">' . $this->user->lang['FULLTEXT_SPHINX_CONFIG_FILE'] . $this->user->lang['COLON'] . '</label><br /><span>' . $this->user->lang['FULLTEXT_SPHINX_CONFIG_FILE_EXPLAIN'] . '</span></dt>
|
||||
<dd>' . (($this->config_generate()) ? '<textarea readonly="readonly" rows="6" id="sphinx_config_data">' . htmlspecialchars($this->config_file_data) . '</textarea>' : $this->config_file_data) . '</dd>
|
||||
<dd>' . (($this->config_generate()) ? '<textarea readonly="readonly" rows="6" id="sphinx_config_data">' . htmlspecialchars($this->config_file_data, ENT_COMPAT) . '</textarea>' : $this->config_file_data) . '</dd>
|
||||
<dl>
|
||||
';
|
||||
|
||||
|
||||
@@ -49,7 +49,7 @@ class session
|
||||
// If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support...
|
||||
if (!$script_name)
|
||||
{
|
||||
$script_name = htmlspecialchars_decode($request->server('REQUEST_URI'));
|
||||
$script_name = htmlspecialchars_decode($request->server('REQUEST_URI'), ENT_COMPAT);
|
||||
$script_name = (($pos = strpos($script_name, '?')) !== false) ? substr($script_name, 0, $pos) : $script_name;
|
||||
$page_array['failover'] = 1;
|
||||
}
|
||||
@@ -83,7 +83,7 @@ class session
|
||||
|
||||
// basenamed page name (for example: index.php)
|
||||
$page_name = (substr($script_name, -1, 1) == '/') ? '' : basename($script_name);
|
||||
$page_name = urlencode(htmlspecialchars($page_name));
|
||||
$page_name = urlencode(htmlspecialchars($page_name, ENT_COMPAT));
|
||||
|
||||
$symfony_request_path = $phpbb_filesystem->clean_path($symfony_request->getPathInfo());
|
||||
if ($symfony_request_path !== '/')
|
||||
@@ -148,8 +148,8 @@ class session
|
||||
'page_dir' => $page_dir,
|
||||
|
||||
'query_string' => $query_string,
|
||||
'script_path' => str_replace(' ', '%20', htmlspecialchars($script_path)),
|
||||
'root_script_path' => str_replace(' ', '%20', htmlspecialchars($root_script_path)),
|
||||
'script_path' => str_replace(' ', '%20', htmlspecialchars($script_path, ENT_COMPAT)),
|
||||
'root_script_path' => str_replace(' ', '%20', htmlspecialchars($root_script_path, ENT_COMPAT)),
|
||||
|
||||
'page' => $page,
|
||||
'forum' => $forum_id,
|
||||
@@ -166,7 +166,7 @@ class session
|
||||
global $config, $request;
|
||||
|
||||
// Get hostname
|
||||
$host = htmlspecialchars_decode($request->header('Host', $request->server('SERVER_NAME')));
|
||||
$host = htmlspecialchars_decode($request->header('Host', $request->server('SERVER_NAME')), ENT_COMPAT);
|
||||
|
||||
// Should be a string and lowered
|
||||
$host = (string) strtolower($host);
|
||||
@@ -289,7 +289,7 @@ class session
|
||||
|
||||
// Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests
|
||||
// it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip.
|
||||
$ip = htmlspecialchars_decode($request->server('REMOTE_ADDR'));
|
||||
$ip = htmlspecialchars_decode($request->server('REMOTE_ADDR'), ENT_COMPAT);
|
||||
$ip = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $ip));
|
||||
|
||||
/**
|
||||
@@ -455,8 +455,8 @@ class session
|
||||
$s_ip,
|
||||
$u_browser,
|
||||
$s_browser,
|
||||
htmlspecialchars($u_forwarded_for),
|
||||
htmlspecialchars($s_forwarded_for)
|
||||
htmlspecialchars($u_forwarded_for, ENT_COMPAT),
|
||||
htmlspecialchars($s_forwarded_for, ENT_COMPAT)
|
||||
));
|
||||
}
|
||||
else
|
||||
@@ -1584,7 +1584,7 @@ class session
|
||||
return true;
|
||||
}
|
||||
|
||||
$host = htmlspecialchars($this->host);
|
||||
$host = htmlspecialchars($this->host, ENT_COMPAT);
|
||||
$ref = substr($this->referer, strpos($this->referer, '://') + 3);
|
||||
|
||||
if (!(stripos($ref, $host) === 0) && (!$config['force_server_vars'] || !(stripos($ref, $config['server_name']) === 0)))
|
||||
|
||||
@@ -227,7 +227,7 @@ class data_access
|
||||
{
|
||||
foreach ($columns as $column)
|
||||
{
|
||||
$row[$column] = htmlspecialchars_decode($row[$column]);
|
||||
$row[$column] = htmlspecialchars_decode($row[$column], ENT_COMPAT);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -118,7 +118,7 @@ class reset_password
|
||||
if (!$this->config['allow_password_reset'])
|
||||
{
|
||||
throw new http_exception(Response::HTTP_OK, 'UCP_PASSWORD_RESET_DISABLED', [
|
||||
'<a href="mailto:' . htmlspecialchars($this->config['board_contact']) . '">',
|
||||
'<a href="mailto:' . htmlspecialchars($this->config['board_contact'], ENT_COMPAT) . '">',
|
||||
'</a>'
|
||||
]);
|
||||
}
|
||||
@@ -265,7 +265,7 @@ class reset_password
|
||||
$messenger->anti_abuse_headers($this->config, $this->user);
|
||||
|
||||
$messenger->assign_vars([
|
||||
'USERNAME' => htmlspecialchars_decode($user_row['username']),
|
||||
'USERNAME' => htmlspecialchars_decode($user_row['username'], ENT_COMPAT),
|
||||
'U_RESET_PASSWORD' => generate_board_url(true) . $this->helper->route('phpbb_ucp_reset_password_controller', [
|
||||
'u' => $user_row['user_id'],
|
||||
'token' => $reset_token,
|
||||
|
||||
@@ -326,7 +326,7 @@ class user extends \phpbb\session
|
||||
|
||||
if (is_string($default_value))
|
||||
{
|
||||
$this->style[$key] = htmlspecialchars($this->style[$key]);
|
||||
$this->style[$key] = htmlspecialchars($this->style[$key], ENT_COMPAT);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user