Commit 484a4f87 authored by Francois Marier's avatar Francois Marier

lib/htmloutput.php: move all HTML output to a single file

All HTML output (i.e. all echo/print statements going to the browser) should
now be in this file.

This is so that we can easily review all areas of Mahara where XSS bugs could
hide (other than templates and PHP pieforms).

Note that lib/errors.php echo statements can't be moved here since we want
that file to always work and can't include other code/files.
Signed-off-by: default avatarFrancois Marier <francois@catalyst.net.nz>
parent a7f35154
......@@ -29,6 +29,7 @@ define('ADMIN', 1);
require(dirname(dirname(dirname(__FILE__))) . '/init.php');
define('TITLE', get_string('institutions', 'admin'));
require_once('pieforms/pieform.php');
require_once(get_config('docroot') . '/lib/htmloutput.php');
// CHECK FOR CANCEL BEFORE THE 'REQUIRED' PARAMS:
$cancel = param_boolean('c');
......@@ -139,23 +140,6 @@ function auth_config_submit(Pieform $form, $values) {
exit;
}
// TODO: move to lib if people want this:
function execute_javascript_and_close($js='') {
echo '<html>
<head>
<title>You may close this window</title>
<script language="Javascript">
function closeMe() {
'.$js.'
window.close();
}
</script>
</head>
<body onLoad="closeMe();" style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: center;">This window should close automatically</body>'.
"\n</html>";
exit;
}
$js = <<<EOF
function authloginmsgVisibility() {
// If Parent authority is 'None'
......
......@@ -29,6 +29,7 @@ define('INTERNAL', 1);
define('ADMIN', 1);
define('BULKEXPORT', 1);
require(dirname(dirname(dirname(__FILE__))) . '/init.php');
require_once(get_config('docroot') . '/lib/htmloutput.php');
raise_memory_limit("1024M");
ini_set('max_execution_time', 300); // 5 minutes
......@@ -54,25 +55,7 @@ if (!$exportdata = $SESSION->get('exportdata')) {
$SESSION->set('exportdata', '');
$stylesheets = array_reverse($THEME->get_url('style/style.css', true));
?>
<html>
<head>
<title></title>
<?php foreach ($stylesheets as $stylesheet) { ?>
<link rel="stylesheet" type="text/css" href="<?php echo hsc($stylesheet); ?>">
<?php } ?>
<style type="text/css">
html, body {
margin: 0;
padding: 0;
background-color: #808080;
}
</style>
</head>
<body>
<div style="width: 100%; background-color: #808080;" class="progress-bar"></div>
<p class="progress-text"><?php echo get_string('Starting', 'export'); ?></p>
<?php
print_export_head($stylesheets);
flush();
/**
......@@ -81,7 +64,7 @@ flush();
* @param string $message The message to display to the user
*/
function export_iframe_die($message) {
echo '<div class="progress-bar" style="width: 100%;"><p>' . hsc($message) . '</p></div></body></html>';
print_export_iframe_die($message);
exit;
}
......@@ -93,12 +76,7 @@ function export_iframe_die($message) {
* @param string $status A human-readable string describing the current step
*/
function export_iframe_progress_handler($percent, $status) {
// "Erase" the current output with a new background div
echo '<div style="width: 100%; background-color: #808080;" class="progress-bar"></div>';
// The progress bar itself
echo '<div class="progress-bar" style="width: ' . intval($percent) . '%;"></div>' . "\n";
// The status text
echo '<p class="progress-text">' . hsc($status) . "</p>\n";
print_iframe_progress_handler($percent, $status);
ob_flush();
}
......@@ -249,17 +227,4 @@ $SESSION->set('exportfile', $zipfile);
$wwwroot = get_config('wwwroot');
$strexportgeneratedsuccessfullyjs = get_string('exportgeneratedsuccessfullyjs', 'export', '<a href="' . $wwwroot . '" target="_top">', '</a>');
$strexportgeneratedsuccessfully = get_string('exportgeneratedsuccessfully', 'export', '<a href="bulkdownload.php" target="_top">', '</a>');
?>
<script type="text/javascript">
document.write('<div class="progress-bar" style="width: 100%;"><p><?php echo $strexportgeneratedsuccessfullyjs; ?></p></div>');
if (!window.opera) {
// Opera can't handle this for some reason - it vomits out the
// download inline in the iframe
document.location = 'bulkdownload.php';
}
</script>
<div class="progress-bar" style="width: 100%;">
<p><?php echo $strexportgeneratedsuccessfully; ?></p>
</div>
</body>
</html>
print_export_footer($strexportgeneratedsuccessfully, $strexportgeneratedsuccessfullyjs);
......@@ -30,6 +30,7 @@ define('ADMIN', 1);
require(dirname(dirname(dirname(__FILE__))) . '/init.php');
require_once('pieforms/pieform.php');
require_once('institution.php');
require_once(get_config('docroot') . '/lib/htmloutput.php');
safe_require('artefact', 'internal');
safe_require('artefact', 'file');
raise_memory_limit('1024M');
......@@ -113,8 +114,7 @@ $form = array(
*/
function meta_redirect() {
$url = get_config('wwwroot') . '/admin/users/bulkimport.php';
print '<html><head><meta http-equiv="Refresh" content="0; url=' . $url . '">';
print '</head><body><p>Please follow <a href="'.$url.'">link</a>!</p></body></html>';
print_meta_redirect($url);
exit;
}
......
......@@ -28,6 +28,7 @@
define('INTERNAL', 1);
require(dirname(dirname(dirname(__FILE__))) . '/init.php');
safe_require('artefact', 'file');
require_once(get_config('docroot') . '/lib/htmloutput.php');
if (!$unzip = $SESSION->get('unzip')) {
redirect('/artefact/file/');
......@@ -39,25 +40,7 @@ if (function_exists('apache_setenv')) {
}
$stylesheets = array_reverse($THEME->get_url('style/style.css', true));
?>
<html>
<head>
<title></title>
<?php foreach ($stylesheets as $stylesheet) { ?>
<link rel="stylesheet" type="text/css" href="<?php echo hsc($stylesheet); ?>">
<?php } ?>
<style type="text/css">
html, body {
margin: 0;
padding: 0;
background-color: #808080;
}
</style>
</head>
<body>
<div style="width: 100%; background-color: #808080;" class="progress-bar"></div>
<p class="progress-text"><?php echo get_string('unzipprogress', 'artefact.file', '0/' . $unzip['artefacts']); ?></p>
<?php
print_extractprogress_head($stylesheets, $unzip['artefacts']);
flush();
/**
......@@ -71,12 +54,7 @@ function unzip_iframe_progress_handler($artefacts) {
$status = get_string('unzipprogress', 'artefact.file', $artefacts . '/' . $unzip['artefacts']);
set_time_limit(10);
// "Erase" the current output with a new background div
echo '<div style="width: 100%; background-color: #808080;" class="progress-bar"></div>';
// The progress bar itself
echo '<div class="progress-bar" style="width: ' . intval($percent) . '%;"></div>' . "\n";
// The status text
echo '<p class="progress-text">' . hsc($status) . "</p>\n";
print_iframe_progress_handler($percent, $status);
flush();
}
......@@ -93,9 +71,5 @@ $next .= (strpos($next, '?') === false ? '?' : '&') . 'folder=' . $status['basef
$SESSION->set('unzip', false);
$message = get_string('extractfilessuccess', 'artefact.file', $status['folderscreated'], $status['filescreated']);
?>
<div class="progress-bar" style="width: 100%;">
<p><?php echo $message; ?> <a href="<?php echo $next; ?>" target="_top"><?php echo get_string('Continue', 'artefact.file'); ?></a></p>
</div>
</body>
</html>
print_extractprogress_footer($message, $next);
......@@ -29,6 +29,7 @@ defined('INTERNAL') || die();
require('session.php');
require(get_config('docroot') . 'auth/user.php');
require_once(get_config('docroot') . '/lib/htmloutput.php');
/**
* Unknown user exception
......@@ -444,9 +445,8 @@ function auth_setup () {
json_reply('global', get_string('sessiontimedoutreload'), 1);
}
if (defined('IFRAME')) {
$frame = '<html><head></head><body onload="parent.show_login_form(\'ajaxlogin_iframe\')"></body></html>';
header('Content-type: text/html');
echo $frame;
print_auth_frame();
exit;
}
......
......@@ -27,6 +27,7 @@
define('INTERNAL', 1);
require(dirname(dirname(__FILE__)) . '/init.php');
require_once(get_config('docroot') . '/lib/htmloutput.php');
// Download the export file if it's been generated
if ($exportfile = $SESSION->get('exportfile')) {
......@@ -48,25 +49,7 @@ if (!$exportdata = $SESSION->get('exportdata')) {
$SESSION->set('exportdata', '');
$stylesheets = array_reverse($THEME->get_url('style/style.css', true));
?>
<html>
<head>
<title></title>
<?php foreach ($stylesheets as $stylesheet) { ?>
<link rel="stylesheet" type="text/css" href="<?php echo hsc($stylesheet); ?>">
<?php } ?>
<style type="text/css">
html, body {
margin: 0;
padding: 0;
background-color: #808080;
}
</style>
</head>
<body>
<div style="width: 100%; background-color: #808080;" class="progress-bar"></div>
<p class="progress-text"><?php echo get_string('Starting', 'export'); ?></p>
<?php
print_export_head($stylesheets);
flush();
/**
......@@ -75,7 +58,7 @@ flush();
* @param string $message The message to display to the user
*/
function export_iframe_die($message) {
echo '<div class="progress-bar" style="width: 100%;"><p>' . hsc($message) . '</p></div></body></html>';
print_export_iframe_die($message);
exit;
}
......@@ -87,12 +70,7 @@ function export_iframe_die($message) {
* @param string $status A human-readable string describing the current step
*/
function export_iframe_progress_handler($percent, $status) {
// "Erase" the current output with a new background div
echo '<div style="width: 100%; background-color: #808080;" class="progress-bar"></div>';
// The progress bar itself
echo '<div class="progress-bar" style="width: ' . intval($percent) . '%;"></div>' . "\n";
// The status text
echo '<p class="progress-text">' . hsc($status) . "</p>\n";
print_iframe_progress_handler($percent, $status);
flush();
}
......@@ -130,17 +108,4 @@ $SESSION->set('exportfile', $exporter->get('exportdir') . $zipfile);
$wwwroot = get_config('wwwroot');
$strexportgeneratedsuccessfullyjs = get_string('exportgeneratedsuccessfullyjs', 'export', '<a href="' . $wwwroot . '" target="_top">', '</a>');
$strexportgeneratedsuccessfully = get_string('exportgeneratedsuccessfully', 'export', '<a href="download.php" target="_top">', '</a>');
?>
<script type="text/javascript">
document.write('<div class="progress-bar" style="width: 100%;"><p><?php echo $strexportgeneratedsuccessfullyjs; ?></p></div>');
if (!window.opera) {
// Opera can't handle this for some reason - it vomits out the
// download inline in the iframe
document.location = 'download.php';
}
</script>
<div class="progress-bar" style="width: 100%;">
<p><?php echo $strexportgeneratedsuccessfully; ?></p>
</div>
</body>
</html>
print_export_footer($strexportgeneratedsuccessfully, $strexportgeneratedsuccessfullyjs);
<?php
/**
* Mahara: Electronic portfolio, weblog, resume builder and social networking
* Copyright (C) 2006-2010 Catalyst IT Ltd and others; see:
* http://wiki.mahara.org/Contributors
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* @package mahara
* @subpackage lib
* @author Catalyst IT Ltd
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL
* @copyright (C) 2006-2010 Catalyst IT Ltd http://catalyst.net.nz
*
*/
// Every function which outputs to a page outside of a template should be in this file
// so that it's easier to review for security purposes
function print_export_head($stylesheets) {
?>
<html>
<head>
<title></title>
<?php foreach ($stylesheets as $stylesheet) { ?>
<link rel="stylesheet" type="text/css" href="<?php echo hsc($stylesheet); ?>">
<?php } ?>
<style type="text/css">
html, body {
margin: 0;
padding: 0;
background-color: #808080;
}
</style>
</head>
<body>
<div style="width: 100%; background-color: #808080;" class="progress-bar"></div>
<p class="progress-text"><?php echo get_string('Starting', 'export'); ?></p>
<?php
}
function print_export_iframe_die($message) {
echo '<div class="progress-bar" style="width: 100%;"><p>' . hsc($message) . '</p></div></body></html>';
}
function print_iframe_progress_handler($percent, $status) {
// "Erase" the current output with a new background div
echo '<div style="width: 100%; background-color: #808080;" class="progress-bar"></div>';
// The progress bar itself
echo '<div class="progress-bar" style="width: ' . intval($percent) . '%;"></div>' . "\n";
// The status text
echo '<p class="progress-text">' . hsc($status) . "</p>\n";
}
function print_export_footer($strexportgeneratedsuccessfully, $strexportgeneratedsuccessfullyjs) {
?>
<script type="text/javascript">
document.write('<div class="progress-bar" style="width: 100%;"><p><?php echo $strexportgeneratedsuccessfullyjs; ?></p></div>');
if (!window.opera) {
// Opera can't handle this for some reason - it vomits out the
// download inline in the iframe
document.location = 'download.php';
}
</script>
<div class="progress-bar" style="width: 100%;">
<p><?php echo $strexportgeneratedsuccessfully; ?></p>
</div>
</body>
</html>
<?php
}
function print_extractprogress_head($stylesheets, $artefacts) {
?>
<html>
<head>
<title></title>
<?php foreach ($stylesheets as $stylesheet) { ?>
<link rel="stylesheet" type="text/css" href="<?php echo hsc($stylesheet); ?>">
<?php } ?>
<style type="text/css">
html, body {
margin: 0;
padding: 0;
background-color: #808080;
}
</style>
</head>
<body>
<div style="width: 100%; background-color: #808080;" class="progress-bar"></div>
<p class="progress-text"><?php echo get_string('unzipprogress', 'artefact.file', '0/' . $artefacts); ?></p>
<?php
}
function print_extractprogress_footer($message, $next) {
?>
<div class="progress-bar" style="width: 100%;">
<p><?php echo $message; ?> <a href="<?php echo $next; ?>" target="_top"><?php echo get_string('Continue', 'artefact.file'); ?></a></p>
</div>
</body>
</html>
<?
}
function execute_javascript_and_close($js='') {
echo '<html>
<head>
<title>You may close this window</title>
<script language="Javascript">
function closeMe() {
'.$js.'
window.close();
}
</script>
</head>
<body onLoad="closeMe();" style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: center;">This window should close automatically</body>'.
"\n</html>";
exit;
}
function print_meta_redirect($url) {
print '<html><head><meta http-equiv="Refresh" content="0; url=' . $url . '">';
print '</head><body><p>Please follow <a href="'.$url.'">link</a>!</p></body></html>';
}
function print_auth_frame() {
$frame = '<html><head></head><body onload="parent.show_login_form(\'ajaxlogin_iframe\')"></body></html>';
echo $frame;
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment