diff options
| author | Starla Insigna <hatkirby@fourisland.com> | 2009-10-02 19:04:20 -0400 |
|---|---|---|
| committer | Starla Insigna <hatkirby@fourisland.com> | 2009-10-02 19:04:20 -0400 |
| commit | 9dfba1e70866fb2bb551678f6e04b8ddfd5467e1 (patch) | |
| tree | 81f4731ae7b2fa902226f084480e26411ac3ad71 /admin | |
| parent | 00586f1e8ada8f5baa6e3013525862dccac77b4a (diff) | |
| download | fourisland-9dfba1e70866fb2bb551678f6e04b8ddfd5467e1.tar.gz fourisland-9dfba1e70866fb2bb551678f6e04b8ddfd5467e1.tar.bz2 fourisland-9dfba1e70866fb2bb551678f6e04b8ddfd5467e1.zip | |
Fixed HTML Entites problem
When the poll escaping problem was fixed, a whole ton of other similar bugs were found which were also fixed here. Fixes #115
Diffstat (limited to 'admin')
| -rw-r--r-- | admin/drafts.php | 2 | ||||
| -rw-r--r-- | admin/editLink.php | 4 | ||||
| -rw-r--r-- | admin/editPoll.php | 30 | ||||
| -rw-r--r-- | admin/editPost.php | 4 | ||||
| -rw-r--r-- | admin/links.php | 2 | ||||
| -rw-r--r-- | admin/newLink.php | 2 | ||||
| -rw-r--r-- | admin/newPoll.php | 19 | ||||
| -rw-r--r-- | admin/newPost.php | 2 | ||||
| -rw-r--r-- | admin/pending.php | 2 | ||||
| -rw-r--r-- | admin/polls.php | 2 | ||||
| -rw-r--r-- | admin/posts.php | 2 |
11 files changed, 39 insertions, 32 deletions
| diff --git a/admin/drafts.php b/admin/drafts.php index 22d8a09..5f7be1a 100644 --- a/admin/drafts.php +++ b/admin/drafts.php | |||
| @@ -82,7 +82,7 @@ foreach ($pager->getPageData() as $post) | |||
| 82 | { | 82 | { |
| 83 | if (!empty($post)) | 83 | if (!empty($post)) |
| 84 | { | 84 | { |
| 85 | $template->adds_block('POST', array( 'TITLE' => $post['title'], | 85 | $template->adds_block('POST', array( 'TITLE' => htmlentities($post['title']), |
| 86 | 'AUTHOR' => $post['author'], | 86 | 'AUTHOR' => $post['author'], |
| 87 | 'ID' => $post['id'], | 87 | 'ID' => $post['id'], |
| 88 | 'CODED' => $post['slug'], | 88 | 'CODED' => $post['slug'], |
| diff --git a/admin/editLink.php b/admin/editLink.php index fe4fb66..f3ba9cc 100644 --- a/admin/editLink.php +++ b/admin/editLink.php | |||
| @@ -74,10 +74,10 @@ if (isset($_GET['submit'])) | |||
| 74 | $template->adds_block('FLASH', array('TEXT' => 'Your link has been sucessfully edited.')); | 74 | $template->adds_block('FLASH', array('TEXT' => 'Your link has been sucessfully edited.')); |
| 75 | } | 75 | } |
| 76 | 76 | ||
| 77 | $template->add('TITLEVALUE', $_POST['title']); | 77 | $template->add('TITLEVALUE', htmlentities($_POST['title'])); |
| 78 | $template->add('URLVALUE', $_POST['url']); | 78 | $template->add('URLVALUE', $_POST['url']); |
| 79 | } else { | 79 | } else { |
| 80 | $template->add('TITLEVALUE', $getlink3['title']); | 80 | $template->add('TITLEVALUE', htmlentities($getlink3['title'])); |
| 81 | $template->add('URLVALUE', $getlink3['url']); | 81 | $template->add('URLVALUE', $getlink3['url']); |
| 82 | } | 82 | } |
| 83 | 83 | ||
| diff --git a/admin/editPoll.php b/admin/editPoll.php index 3a154a3..425f33c 100644 --- a/admin/editPoll.php +++ b/admin/editPoll.php | |||
| @@ -81,21 +81,21 @@ if (isset($_GET['submit'])) | |||
| 81 | $getpoll2 = mysql_query($getpoll); | 81 | $getpoll2 = mysql_query($getpoll); |
| 82 | $getpoll3 = mysql_fetch_array($getpoll2); | 82 | $getpoll3 = mysql_fetch_array($getpoll2); |
| 83 | 83 | ||
| 84 | $template->add('QUESTIONVALUE', $_POST['question']); | 84 | $template->add('QUESTIONVALUE', htmlentities($_POST['question'])); |
| 85 | $template->add('OPTION1VALUE', $_POST['option1']); | 85 | $template->add('OPTION1VALUE', htmlentities($_POST['option1'])); |
| 86 | $template->add('OPTION2VALUE', $_POST['option2']); | 86 | $template->add('OPTION2VALUE', htmlentities($_POST['option2'])); |
| 87 | $template->add('OPTION3VALUE', $_POST['option3']); | 87 | $template->add('OPTION3VALUE', htmlentities($_POST['option3'])); |
| 88 | $template->add('OPTION4VALUE', $_POST['option4']); | 88 | $template->add('OPTION4VALUE', htmlentities($_POST['option4'])); |
| 89 | $template->add('TEXTVALUE', $_POST['text']); | 89 | $template->add('TEXTVALUE', $_POST['text']); |
| 90 | } else { | 90 | } else { |
| 91 | $inspoll = "UPDATE polloftheweek SET question = \"" . mysql_real_escape_string($_POST['question']) . "\", option1 = \"" . mysql_real_escape_string($_POST['option1']) . "\", option2 = \"" . mysql_real_escape_string($_POST['option2']) . "\", option3 = \"" . mysql_real_escape_string($_POST['option3']) . "\", option4 = \"" . mysql_real_escape_string($_POST['option4']) . "\", text = \"" . mysql_real_escape_string($_POST['text']) . "\" WHERE id = " . $_GET['id']; | 91 | $inspoll = "UPDATE polloftheweek SET question = \"" . mysql_real_escape_string($_POST['question']) . "\", option1 = \"" . mysql_real_escape_string($_POST['option1']) . "\", option2 = \"" . mysql_real_escape_string($_POST['option2']) . "\", option3 = \"" . mysql_real_escape_string($_POST['option3']) . "\", option4 = \"" . mysql_real_escape_string($_POST['option4']) . "\", text = \"" . mysql_real_escape_string($_POST['text']) . "\" WHERE id = " . $_GET['id']; |
| 92 | $inspoll2 = mysql_query($inspoll); | 92 | $inspoll2 = mysql_query($inspoll); |
| 93 | 93 | ||
| 94 | $template->add('QUESTIONVALUE', $_POST['question']); | 94 | $template->add('QUESTIONVALUE', htmlentities($_POST['question'])); |
| 95 | $template->add('OPTION1VALUE', $_POST['option1']); | 95 | $template->add('OPTION1VALUE', htmlentities($_POST['option1'])); |
| 96 | $template->add('OPTION2VALUE', $_POST['option2']); | 96 | $template->add('OPTION2VALUE', htmlentities($_POST['option2'])); |
| 97 | $template->add('OPTION3VALUE', $_POST['option3']); | 97 | $template->add('OPTION3VALUE', htmlentities($_POST['option3'])); |
| 98 | $template->add('OPTION4VALUE', $_POST['option4']); | 98 | $template->add('OPTION4VALUE', htmlentities($_POST['option4'])); |
| 99 | $template->add('TEXTVALUE', $_POST['text']); | 99 | $template->add('TEXTVALUE', $_POST['text']); |
| 100 | 100 | ||
| 101 | $template->adds_block('FLASH', array('TEXT' => 'Your poll has been sucessfully edited. <a href="/poll/' . $_GET['id'] . '.php">View poll</a>.')); | 101 | $template->adds_block('FLASH', array('TEXT' => 'Your poll has been sucessfully edited. <a href="/poll/' . $_GET['id'] . '.php">View poll</a>.')); |
| @@ -105,11 +105,11 @@ if (isset($_GET['submit'])) | |||
| 105 | $getpoll2 = mysql_query($getpoll); | 105 | $getpoll2 = mysql_query($getpoll); |
| 106 | $getpoll3 = mysql_fetch_array($getpoll2); | 106 | $getpoll3 = mysql_fetch_array($getpoll2); |
| 107 | 107 | ||
| 108 | $template->add('QUESTIONVALUE', $getpoll3['question']); | 108 | $template->add('QUESTIONVALUE', htmlentities($getpoll3['question'])); |
| 109 | $template->add('OPTION1VALUE', $getpoll3['option1']); | 109 | $template->add('OPTION1VALUE', htmlentities($getpoll3['option1'])); |
| 110 | $template->add('OPTION2VALUE', $getpoll3['option2']); | 110 | $template->add('OPTION2VALUE', htmlentities($getpoll3['option2'])); |
| 111 | $template->add('OPTION3VALUE', $getpoll3['option3']); | 111 | $template->add('OPTION3VALUE', htmlentities($getpoll3['option3'])); |
| 112 | $template->add('OPTION4VALUE', $getpoll3['option4']); | 112 | $template->add('OPTION4VALUE', htmlentities($getpoll3['option4'])); |
| 113 | $template->add('TEXTVALUE', $getpoll3['text']); | 113 | $template->add('TEXTVALUE', $getpoll3['text']); |
| 114 | } | 114 | } |
| 115 | 115 | ||
| diff --git a/admin/editPost.php b/admin/editPost.php index b01d1e2..b87f895 100644 --- a/admin/editPost.php +++ b/admin/editPost.php | |||
| @@ -201,13 +201,13 @@ if (!isset($_GET['type']) || !isset($_GET['id']) || !is_numeric($_GET['id'])) | |||
| 201 | $template->add('ACTION', '/admin/editPost.php?type=' . $type . '&id=' . $id . '&submit='); | 201 | $template->add('ACTION', '/admin/editPost.php?type=' . $type . '&id=' . $id . '&submit='); |
| 202 | } | 202 | } |
| 203 | 203 | ||
| 204 | $template->add('TITLEVALUE', $_POST['title']); | 204 | $template->add('TITLEVALUE', htmlentities($_POST['title'])); |
| 205 | $template->add('TEXTVALUE', $_POST['text']); | 205 | $template->add('TEXTVALUE', $_POST['text']); |
| 206 | $template->add('TAGSVALUE', $_POST['tags']); | 206 | $template->add('TAGSVALUE', $_POST['tags']); |
| 207 | $template->add(strtoupper($_POST['type']) . 'SELECTED', ' checked="checked"'); | 207 | $template->add(strtoupper($_POST['type']) . 'SELECTED', ' checked="checked"'); |
| 208 | if ($_POST['type'] != 'draft') $template->add('TAGSDISABLED', ' readonly="readonly"'); | 208 | if ($_POST['type'] != 'draft') $template->add('TAGSDISABLED', ' readonly="readonly"'); |
| 209 | } else { | 209 | } else { |
| 210 | $template->add('TITLEVALUE', $getpost3['title']); | 210 | $template->add('TITLEVALUE', htmlentities($getpost3['title'])); |
| 211 | $template->add('TEXTVALUE', $getpost3['text']); | 211 | $template->add('TEXTVALUE', $getpost3['text']); |
| 212 | $template->add('TAGSVALUE', implode(',', getTags($_GET['id'], $tableToTags[$_GET['type']]))); | 212 | $template->add('TAGSVALUE', implode(',', getTags($_GET['id'], $tableToTags[$_GET['type']]))); |
| 213 | $template->add(strtoupper($tableToForm[$_GET['type']]) . 'SELECTED', ' checked="checked"'); | 213 | $template->add(strtoupper($tableToForm[$_GET['type']]) . 'SELECTED', ' checked="checked"'); |
| diff --git a/admin/links.php b/admin/links.php index d1ab878..fc1c813 100644 --- a/admin/links.php +++ b/admin/links.php | |||
| @@ -97,7 +97,7 @@ foreach ($pager->getPageData() as $link) | |||
| 97 | { | 97 | { |
| 98 | if (!empty($link)) | 98 | if (!empty($link)) |
| 99 | { | 99 | { |
| 100 | $template->adds_block('LINK', array( 'TITLE' => $link['title'], | 100 | $template->adds_block('LINK', array( 'TITLE' => htmlentities($link['title']), |
| 101 | 'URL' => $link['url'], | 101 | 'URL' => $link['url'], |
| 102 | 'ID' => $link['id'], | 102 | 'ID' => $link['id'], |
| 103 | 'ODD' => ($j % 2 ? '' : ' class="odd"'))); | 103 | 'ODD' => ($j % 2 ? '' : ' class="odd"'))); |
| diff --git a/admin/newLink.php b/admin/newLink.php index 3f6b42c..90313bd 100644 --- a/admin/newLink.php +++ b/admin/newLink.php | |||
| @@ -80,7 +80,7 @@ if (isset($_GET['submit'])) | |||
| 80 | $template->add('TYPEDISABLED', ' readonly="readonly"'); | 80 | $template->add('TYPEDISABLED', ' readonly="readonly"'); |
| 81 | } | 81 | } |
| 82 | 82 | ||
| 83 | $template->add('TITLEVALUE', $_POST['title']); | 83 | $template->add('TITLEVALUE', htmlentities($_POST['title'])); |
| 84 | $template->add('URLVALUE', $_POST['url']); | 84 | $template->add('URLVALUE', $_POST['url']); |
| 85 | $template->add(strtoupper($_POST['type']) . 'SELECTED', ' checked="checked"'); | 85 | $template->add(strtoupper($_POST['type']) . 'SELECTED', ' checked="checked"'); |
| 86 | } else { | 86 | } else { |
| diff --git a/admin/newPoll.php b/admin/newPoll.php index c924cd9..d105f45 100644 --- a/admin/newPoll.php +++ b/admin/newPoll.php | |||
| @@ -77,6 +77,13 @@ if (isset($_GET['submit'])) | |||
| 77 | 77 | ||
| 78 | $template->add('TITLE', 'New Poll'); | 78 | $template->add('TITLE', 'New Poll'); |
| 79 | $template->add('ACTION', '/admin/newPoll.php?submit='); | 79 | $template->add('ACTION', '/admin/newPoll.php?submit='); |
| 80 | |||
| 81 | $template->add('QUESTIONVALUE', htmlentities($_POST['question'])); | ||
| 82 | $template->add('OPTION1VALUE', htmlentities($_POST['option1'])); | ||
| 83 | $template->add('OPTION2VALUE', htmlentities($_POST['option2'])); | ||
| 84 | $template->add('OPTION3VALUE', htmlentities($_POST['option3'])); | ||
| 85 | $template->add('OPTION4VALUE', htmlentities($_POST['option4'])); | ||
| 86 | $template->add('TEXTVALUE', htmlentities($_POST['text'])); | ||
| 80 | } else { | 87 | } else { |
| 81 | $inspoll = "INSERT INTO polloftheweek (question,option1,option2,option3,option4,text) VALUES (\"" . mysql_real_escape_string($_POST['question']) . "\",\"" . mysql_real_escape_string($_POST['option1']) . "\",\"" . mysql_real_escape_string($_POST['option2']) . "\",\"" . mysql_real_escape_string($_POST['option3']) . "\",\"" . mysql_real_escape_string($_POST['option4']) . "\",\"" . mysql_real_escape_string($_POST['text']) . "\")"; | 88 | $inspoll = "INSERT INTO polloftheweek (question,option1,option2,option3,option4,text) VALUES (\"" . mysql_real_escape_string($_POST['question']) . "\",\"" . mysql_real_escape_string($_POST['option1']) . "\",\"" . mysql_real_escape_string($_POST['option2']) . "\",\"" . mysql_real_escape_string($_POST['option3']) . "\",\"" . mysql_real_escape_string($_POST['option4']) . "\",\"" . mysql_real_escape_string($_POST['text']) . "\")"; |
| 82 | $inspoll2 = mysql_query($inspoll); | 89 | $inspoll2 = mysql_query($inspoll); |
| @@ -86,12 +93,12 @@ if (isset($_GET['submit'])) | |||
| 86 | $cleardid = "TRUNCATE TABLE didpollalready"; | 93 | $cleardid = "TRUNCATE TABLE didpollalready"; |
| 87 | $cleardid2 = mysql_query($cleardid); | 94 | $cleardid2 = mysql_query($cleardid); |
| 88 | 95 | ||
| 89 | $template->add('QUESTIONVALUE', $_POST['question']); | 96 | $template->add('QUESTIONVALUE', htmlentities($_POST['question'])); |
| 90 | $template->add('OPTION1VALUE', $_POST['option1']); | 97 | $template->add('OPTION1VALUE', htmlentities($_POST['option1'])); |
| 91 | $template->add('OPTION2VALUE', $_POST['option2']); | 98 | $template->add('OPTION2VALUE', htmlentities($_POST['option2'])); |
| 92 | $template->add('OPTION3VALUE', $_POST['option3']); | 99 | $template->add('OPTION3VALUE', htmlentities($_POST['option3'])); |
| 93 | $template->add('OPTION4VALUE', $_POST['option4']); | 100 | $template->add('OPTION4VALUE', htmlentities($_POST['option4'])); |
| 94 | $template->add('TEXTVALUE', $_POST['text']); | 101 | $template->add('TEXTVALUE', htmlentities($_POST['text'])); |
| 95 | 102 | ||
| 96 | $template->add('TITLE', 'Edit Poll'); | 103 | $template->add('TITLE', 'Edit Poll'); |
| 97 | $template->add('ACTION', '/admin/editPoll.php?id=' . $id . '&submit='); | 104 | $template->add('ACTION', '/admin/editPoll.php?id=' . $id . '&submit='); |
| diff --git a/admin/newPost.php b/admin/newPost.php index eb6b4e0..32e7aa2 100644 --- a/admin/newPost.php +++ b/admin/newPost.php | |||
| @@ -145,7 +145,7 @@ if (isset($_GET['submit'])) | |||
| 145 | if ($type != 'drafts') $template->add('TAGSDISABLED', ' readonly="readonly"'); | 145 | if ($type != 'drafts') $template->add('TAGSDISABLED', ' readonly="readonly"'); |
| 146 | } | 146 | } |
| 147 | 147 | ||
| 148 | $template->add('TITLEVALUE', $_POST['title']); | 148 | $template->add('TITLEVALUE', htmlentities($_POST['title'])); |
| 149 | $template->add('TEXTVALUE', $_POST['text']); | 149 | $template->add('TEXTVALUE', $_POST['text']); |
| 150 | $template->add('TAGSVALUE', $_POST['tags']); | 150 | $template->add('TAGSVALUE', $_POST['tags']); |
| 151 | $template->add(strtoupper($_POST['type']) . 'SELECTED', ' checked="checked"'); | 151 | $template->add(strtoupper($_POST['type']) . 'SELECTED', ' checked="checked"'); |
| diff --git a/admin/pending.php b/admin/pending.php index 407cd35..6f1cfaf 100644 --- a/admin/pending.php +++ b/admin/pending.php | |||
| @@ -148,7 +148,7 @@ foreach ($pager->getPageData() as $post) | |||
| 148 | { | 148 | { |
| 149 | if (!empty($post)) | 149 | if (!empty($post)) |
| 150 | { | 150 | { |
| 151 | $template->add_ref($j, 'POST', array( 'TITLE' => $post['title'], | 151 | $template->add_ref($j, 'POST', array( 'TITLE' => htmlentities($post['title']), |
| 152 | 'AUTHOR' => $post['author'], | 152 | 'AUTHOR' => $post['author'], |
| 153 | 'ID' => $post['id'], | 153 | 'ID' => $post['id'], |
| 154 | 'CODED' => $post['slug'], | 154 | 'CODED' => $post['slug'], |
| diff --git a/admin/polls.php b/admin/polls.php index 8e1465c..e4239fa 100644 --- a/admin/polls.php +++ b/admin/polls.php | |||
| @@ -82,7 +82,7 @@ foreach ($pager->getPageData() as $post) | |||
| 82 | { | 82 | { |
| 83 | if (!empty($post)) | 83 | if (!empty($post)) |
| 84 | { | 84 | { |
| 85 | $template->adds_block('POST', array( 'TITLE' => $post['question'], | 85 | $template->adds_block('POST', array( 'TITLE' => htmlentities($post['question']), |
| 86 | 'ID' => $post['id'], | 86 | 'ID' => $post['id'], |
| 87 | 'ODD' => ($j % 2 ? '' : ' class="odd"'))); | 87 | 'ODD' => ($j % 2 ? '' : ' class="odd"'))); |
| 88 | } | 88 | } |
| diff --git a/admin/posts.php b/admin/posts.php index 605db30..d2e34c5 100644 --- a/admin/posts.php +++ b/admin/posts.php | |||
| @@ -82,7 +82,7 @@ foreach ($pager->getPageData() as $post) | |||
| 82 | { | 82 | { |
| 83 | if (!empty($post)) | 83 | if (!empty($post)) |
| 84 | { | 84 | { |
| 85 | $template->adds_block('POST', array( 'TITLE' => $post['title'], | 85 | $template->adds_block('POST', array( 'TITLE' => htmlentities($post['title']), |
| 86 | 'AUTHOR' => $post['author'], | 86 | 'AUTHOR' => $post['author'], |
| 87 | 'ID' => $post['id'], | 87 | 'ID' => $post['id'], |
| 88 | 'CODED' => $post['slug'], | 88 | 'CODED' => $post['slug'], |