Commit 6015fc31 authored by Richard Mansfield's avatar Richard Mansfield
Browse files

Fix xss on view artefact & view pages

parent 8cc0979a
......@@ -6,7 +6,7 @@
<table class="filedata">
<tr><th>{str tag=Type section=artefact.file}:</th><td>{$filetype}</td></tr>
<tr><th>{str tag=Description section=artefact.file}:</th><td>{$description|escape}</td></tr>
<tr><th>{str tag=Owner section=artefact.file}:</th><td>{$owner}</td></tr>
<tr><th>{str tag=Owner section=artefact.file}:</th><td>{$owner|escape}</td></tr>
<tr><th>{str tag=Created section=artefact.file}:</th><td>{$created}</td></tr>
<tr><th>{str tag=lastmodified section=artefact.file}:</th><td>{$modified}</td></tr>
<tr><th>{str tag=Size section=artefact.file}:</th><td>{$size|escape}</td></tr>
......
......@@ -87,13 +87,13 @@ $artefactpath[] = array(
'title' => $artefact->display_title(),
);
$heading = '<a href="' . get_config('wwwroot') . 'view/view.php?id=' . $view->get('id') .'">' . hsc($view->get('title')) . '</a> ' . get_string('by', 'view') . ' <a href="' . get_config('wwwroot') .'user/view.php?id=' . $view->get('owner'). '">' . $view->formatted_owner() . '</a>';
$heading = '<a href="' . get_config('wwwroot') . 'view/view.php?id=' . $view->get('id') .'">' . hsc($view->get('title')) . '</a> ' . get_string('by', 'view') . ' <a href="' . get_config('wwwroot') .'user/view.php?id=' . $view->get('owner'). '">' . hsc($view->formatted_owner()) . '</a>';
foreach ($artefactpath as $item) {
if (empty($item['url'])) {
$heading .= ': ' . $item['title'];
}
else {
$heading .= ': <a href="' . $item['url'] . '">' . $item['title'] . '</a>';
$heading .= ': <a href="' . $item['url'] . '">' . hsc($item['title']) . '</a>';
}
}
......
......@@ -49,7 +49,7 @@ if ($new) {
else {
$heading = '<a href="' . get_config('wwwroot') . 'view/view.php?id=' . $view->get('id') .'">' . hsc($view->get('title')) . '</a>';
}
$heading .= ' ' . get_string('by', 'view') . ' <a href="' . get_config('wwwroot') .'user/view.php?id=' . $view->get('owner'). '">' . $view->formatted_owner() . '</a>';
$heading .= ' ' . get_string('by', 'view') . ' <a href="' . get_config('wwwroot') .'user/view.php?id=' . $view->get('owner'). '">' . hsc($view->formatted_owner()) . '</a>';
$tutorfilefeedbackformrow = '';
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment