mirror_php/formwork
1
0
Fork 0
mirror of https://github.com/getformwork/formwork.git synced 2025-01-17 21:49:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix Admin output escaping

Browse Source
This commit is contained in:
Giuseppe Criscione 2018-07-31 12:09:17 +02:00
parent c289e2747c
commit e24c6d7026
7 changed files with 17 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
admin/src/Controllers/AbstractController.php
View File

@ -94,6 +94,11 @@ abstract class AbstractController
return Formwork::instance()->option($option);
}
protected function escape($string)
{
return htmlspecialchars($string, ENT_COMPAT | ENT_SUBSTITUTE);
}
protected function field($field, $render = true)
{
return $this->view('fields.' . $field->type(), array('field' => $field), $render);

4
admin/views/admin.php
View File

@ -37,8 +37,8 @@
<img src="<?= $this->user()->avatar()->uri() ?>" alt="">
</div>
<div class="admin-user-details">
<div class="admin-user-fullname"><?= $this->user()->fullname() ?></div>
<div class="admin-user-username"><?= $this->user()->username() ?></div>
<div class="admin-user-fullname"><?= $this->escape($this->user()->fullname()) ?></div>
<div class="admin-user-username"><?= $this->escape($this->user()->username()) ?></div>
</div>
</div>
</a>

2
admin/views/dashboard/index.php
View File

@ -13,7 +13,7 @@
<div class="col-m-7-12">
<div class="component">
<h3 class="caption"><?= $this->label('dashboard.statistics') ?></h3>
<div class="ct-chart" data-chart-data="<?= htmlspecialchars(json_encode($statistics)); ?>"></div>
<div class="ct-chart" data-chart-data="<?= $this->escape(json_encode($statistics)); ?>"></div>
</div>
</div>
</div>

4
admin/views/pages/editor.php
View File

@ -4,7 +4,7 @@
<div class="col-l-3-4">
<div class="component">
<h3 class="caption"><?= $this->label('pages.content') ?></h3>
<input class="title-input" id="title" type="text" name="title" tabindex="1" value="<?= htmlspecialchars($page->title()) ?>" required autocomplete="off">
<input class="title-input" id="title" type="text" name="title" tabindex="1" value="<?= $this->escape($page->title()) ?>" required autocomplete="off">
<div class="page-info">
<div class="page-uri">
<a <?php if ($page->published() && $page->routable()): ?>href="<?= $this->pageUri($page) ?>"<?php endif; ?> target="_blank"><?= $page->slug() ?></a>
@ -21,7 +21,7 @@
<button class="toolbar-button" tabindex="-1" data-command="image" title="<?= $this->label('pages.editor.image') ?>" type="button"><span class="i-image"></span></button>
<button class="toolbar-button" tabindex="-1" data-command="summary" title="<?= $this->label('pages.editor.summary') ?>" type="button"><span class="i-read-more-alt"></span></button>
</div>
<textarea tabindex="2" class="editor-textarea" id="content" name="content" autocomplete="off"><?= htmlspecialchars($page->rawContent()) ?></textarea>
<textarea tabindex="2" class="editor-textarea" id="content" name="content" autocomplete="off"><?= $this->escape($page->rawContent()) ?></textarea>
<input type="hidden" name="csrf-token" value="<?= $csrfToken ?>">
<button class="button-accent button-save button-right" type="submit" tabindex="4" data-command="save"><i class="i-check"></i> <?= $this->label('pages.save') ?></button>
<button class="button-link button-right" tabindex="-1" type="button" data-modal="deletePageModal" data-modal-action="<?= $this->uri('/pages/' . trim($page->slug(), '/') . '/delete/') ?>" title="<?= $this->label('pages.delete-page') ?>" <?php if (!$page->isDeletable()): ?> disabled<?php endif; ?>><i class="i-trash"></i></button>

2
admin/views/pages/list.php
View File

@ -15,7 +15,7 @@
<?php
endif;
?>
<a href="<?= $this->uri('/pages/' . trim($page->slug(), '/') . '/edit/') ?>" title="<?= htmlspecialchars($page->title()) ?>"><?= $page->title() ?></a>
<a href="<?= $this->uri('/pages/' . trim($page->slug(), '/') . '/edit/') ?>" title="<?= $this->escape($page->title()) ?>"><?= $this->escape($page->title()) ?></a>
</div>
<div class="page-uri">
<a <?php if ($routable): ?>href="<?= $this->pageUri($page) ?>"<?php endif; ?> target="_blank"><?= $page->slug() ?></a>

6
admin/views/users/index.php
View File

@ -8,10 +8,10 @@
?>
<div class="users-item">
<div class="users-item-cell user-username">
<a href="<?= $this->uri('/users/' . $user->username() . '/profile/') ?>"><?= $user->username() ?></a>
<a href="<?= $this->uri('/users/' . $user->username() . '/profile/') ?>"><?= $this->escape($user->username()) ?></a>
</div>
<div class="users-item-cell user-fullname"><?= $user->fullname() ?></div>
<div class="users-item-cell user-email" data-overflow-tooltip="true"><?= $user->email() ?></div>
<div class="users-item-cell user-fullname"><?= $this->escape($user->fullname()) ?></div>
<div class="users-item-cell user-email" data-overflow-tooltip="true"><?= $this->escape($user->email()) ?></div>
<div class="users-item-cell user-last-access" data-overflow-tooltip="true"><?= is_null($user->lastAccess()) ? '&infin;' : date($this->option('date.format') . ' ' . $this->option('date.hour_format'), $user->lastAccess()) ?></div>
<div class="users-item-cell user-actions">
<?php

6
admin/views/users/profile.php
View File

@ -5,9 +5,9 @@
<img src="<?= $user->avatar()->uri() ?>" style="width: 150px; border-radius: 50%;">
</div>
<div style="display:table-cell; vertical-align: middle; padding: 0.5rem;">
<h3><?= $user->fullname() ?></h3>
<?= $user->username() ?><br>
<a href="mailto:<?= $user->email() ?>"><?= $user->email() ?></a><br>
<h3><?= $this->escape($user->fullname()) ?></h3>
<?= $this->escape($user->username()) ?><br>
<a href="mailto:<?= $user->email() ?>"><?= $this->escape($user->email()) ?></a><br>
<?= $this->label('user.last-access') ?>: <?= is_null($user->lastAccess()) ? '&infin;' : date($this->option('date.format') . ' ' . $this->option('date.hour_format'), $user->lastAccess()) ?>
</div>
</div>