Commit 649764b6 authored by Francois Marier's avatar Francois Marier
Browse files

Merge branch 'pieforms_hardening'

parents ad477e13 a053c5e9
......@@ -611,11 +611,11 @@ class Pieform {/*{{{*/
$result .= ' error';
}
if (isset($this->data['class'])) {
$result .= ' ' . $this->data['class'];
$result .= ' ' . self::hsc($this->data['class']);
}
$result .= '"';
foreach (array('name', 'method', 'action') as $attribute) {
$result .= ' ' . $attribute . '="' . $this->data[$attribute] . '"';
$result .= ' ' . $attribute . '="' . self::hsc($this->data[$attribute]) . '"';
}
$result .= ' id="' . $this->name . '"';
if ($this->fileupload) {
......@@ -1034,7 +1034,7 @@ EOF;
public function make_class($element) {/*{{{*/
$classes = array();
if (isset($element['class'])) {
$classes[] = $element['class'];
$classes[] = self::hsc($element['class']);
}
if (!empty($element['rules']['required'])) {
$classes[] = 'required';
......@@ -1122,6 +1122,10 @@ EOF;
throw new PieformException("The type \"$type\" is not allowed for an include plugin");
}
if (!isset($name) || !preg_match('/^[a-z_][a-z0-9_]*$/', $name)) {
throw new PieformException("The name \"$name\" is not valid (validity test: could you give a PHP function the name?)");
}
// Check the configured include paths if they are specified
foreach ($this->data['configdirs'] as $directory) {
$file = "$directory/{$type}s/$name.php";
......@@ -1159,6 +1163,14 @@ EOF;
throw new PieformException("Invalid plugin name '$plugin'");
}
if (!isset($pluginname) || !preg_match('/^[a-z_][a-z0-9_]*$/', $pluginname)) {
throw new PieformException("The pluginname \"$pluginname\" is not valid (validity test: could you give a PHP function the name?)");
}
if (!isset($key) || !preg_match('/^[a-z_][a-z0-9_]*$/', $key)) {
throw new PieformException("The key \"$key\" is not valid (validity test: could you give a PHP function the name?)");
}
// Check the element itself for the language string
if ($plugin == 'rule' && isset($element['rulei18n'][$key])) {
return $element['rulei18n'][$key];
......
......@@ -35,7 +35,7 @@
function pieform_element_bytes(Pieform $form, $element) {/*{{{*/
$formname = $form->get_name();
$result = '';
$name = $element['name'];
$name = Pieform::hsc($element['name']);
if (!isset($element['defaultvalue'])) {
$element['defaultvalue'] = null;
}
......@@ -67,11 +67,11 @@ function pieform_element_bytes(Pieform $form, $element) {/*{{{*/
// Same with the select. And do the events using mochikit signal instead of dom events
$numberinput = '<input';
$numberinput .= ' type="text" size="6" name="' . $name . '"';
$numberinput .= ' id="' . $formname . '_' . $name . '" value="' . $values['number'] . '" tabindex="' . $element['tabindex'] . '"';
$numberinput .= ' id="' . $formname . '_' . $name . '" value="' . Pieform::hsc($values['number']) . '" tabindex="' . Pieform::hsc($element['tabindex']) . '"';
$numberinput .= (isset($element['error']) ? ' class="error"' : '') . ">\n";
$uselect = '<select onchange="' . $name . '_change()" ';
$uselect .= 'name="' . $name . '_units" id="' . $formname . '_' . $name . '_units"' . ' tabindex="' . $element['tabindex'] . "\">\n";
$uselect .= 'name="' . $name . '_units" id="' . $formname . '_' . $name . '_units"' . ' tabindex="' . Pieform::hsc($element['tabindex']) . "\">\n";
foreach (pieform_element_bytes_get_bytes_units() as $u) {
$uselect .= "\t<option value=\"$u\"" . (($values['units'] == $u) ? ' selected="selected"' : '') . '>'
. $form->i18n('element', 'bytes', $u, $element) . "</option>\n";
......
......@@ -33,7 +33,7 @@
*/
function pieform_element_date(Pieform $form, $element) {/*{{{*/
$result = '';
$name = $element['name'];
$name = Pieform::hsc($element['name']);
$element['minyear'] = (isset($element['minyear'])) ? intval($element['minyear']) : 1950;
$element['maxyear'] = (isset($element['maxyear'])) ? intval($element['maxyear']) : 2050;
$required = (!empty($element['rules']['required']));
......@@ -45,7 +45,7 @@ function pieform_element_date(Pieform $form, $element) {/*{{{*/
$value = pieform_element_date_get_timeperiod_value('year', $element['minyear'], $element['maxyear'], $element, $form);
$year = '<select name="' . $name . '_year" id="' . $name . '_year"'
. (!$required && !isset($element['defaultvalue']) ? ' disabled="disabled"' : '')
. ' tabindex="' . $element['tabindex'] . "\">\n";
. ' tabindex="' . Pieform::hsc($element['tabindex']) . "\">\n";
for ($i = $element['minyear']; $i <= $element['maxyear']; $i++) {
$year .= "\t<option value=\"$i\"" . (($value == $i) ? ' selected="selected"' : '') . ">$i</option>\n";
}
......@@ -55,7 +55,7 @@ function pieform_element_date(Pieform $form, $element) {/*{{{*/
$value = pieform_element_date_get_timeperiod_value('month', 1, 12, $element, $form);
$month = '<select name="' . $name . '_month" id="' . $name . '_month"'
. (!$required && !isset($element['defaultvalue']) ? ' disabled="disabled"' : '')
. ' tabindex="' . $element['tabindex'] . "\">\n";
. ' tabindex="' . Pieform::hsc($element['tabindex']) . "\">\n";
$monthnames = explode(',', $form->i18n('element', 'date', 'monthnames', $element));
for ($i = 1; $i <= 12; $i++) {
$month .= "\t<option value=\"$i\"" . (($value == $i) ? ' selected="selected"' : '') . '>' . $monthnames[$i-1] . "</option>\n";
......@@ -66,7 +66,7 @@ function pieform_element_date(Pieform $form, $element) {/*{{{*/
$value = pieform_element_date_get_timeperiod_value('day', 1, 31, $element, $form);
$day = '<select name="' . $name . '_day" id="' . $name . '_day"'
. (!$required && !isset($element['defaultvalue']) ? ' disabled="disabled"' : '')
. ' tabindex="' . $element['tabindex'] . "\">\n";
. ' tabindex="' . Pieform::hsc($element['tabindex']) . "\">\n";
for ($i = 1; $i <= 31; $i++) {
$day .= "\t<option value=\"$i\"" . (($value == $i) ? ' selected="selected"' : '') . ">$i</option>\n";
}
......@@ -98,7 +98,7 @@ EOF;
$optional .= ' ' . $form->i18n('element', 'date', 'or', $element) . ' <input type="checkbox" '
. (isset($element['defaultvalue']) ? '' : 'checked="checked" ')
. 'name="' . $name . '_optional" id="' . $name . '_optional" onchange="' . $name . '_toggle(this)" '
. 'tabindex="' . $element['tabindex'] . '">';
. 'tabindex="' . Pieform::hsc($element['tabindex']) . '">';
$optional .= ' <label for="' . $name . '_optional">' . $form->i18n('element', 'date', 'notspecified', $element);
$result .= $optional;
......
......@@ -35,7 +35,7 @@
function pieform_element_expiry(Pieform $form, $element) {/*{{{*/
$formname = $form->get_name();
$result = '';
$name = $element['name'];
$name = Pieform::hsc($element['name']);
if (!isset($element['defaultvalue'])) {
$element['defaultvalue'] = null;
}
......@@ -68,11 +68,11 @@ function pieform_element_expiry(Pieform $form, $element) {/*{{{*/
$numberinput = '<input';
$numberinput .= ($values['units'] == 'noenddate' && empty($element['rules']['required'])) ? ' disabled="disabled"' : '';
$numberinput .= ' type="text" size="4" name="' . $name . '"';
$numberinput .= ' id="' . $formname . '_' . $name . '" value="' . $values['number'] . '" tabindex="' . $element['tabindex'] . '"';
$numberinput .= ' id="' . $formname . '_' . $name . '" value="' . Pieform::hsc($values['number']) . '" tabindex="' . Pieform::hsc($element['tabindex']) . '"';
$numberinput .= (isset($element['error']) ? ' class="error"' : '') . ">\n";
$uselect = '<select onchange="' . $name . '_change()" ';
$uselect .= 'name="' . $name . '_units" id="' . $formname . '_' . $name . '_units"' . ' tabindex="' . $element['tabindex'] . "\">\n";
$uselect .= 'name="' . $name . '_units" id="' . $formname . '_' . $name . '_units"' . ' tabindex="' . Pieform::hsc($element['tabindex']) . "\">\n";
foreach (pieform_element_expire_get_expiry_units() as $u) {
// Don't allow 'no end date' if the element is required
if ($u == 'noenddate' && !empty($element['rules']['required'])) {
......
......@@ -51,7 +51,7 @@ function pieform_element_fieldset(Pieform $form, $element) {/*{{{*/
$classes[] = 'collapsed';
}
if (!empty($element['class'])) {
$classes[] = $element['class'];
$classes[] = Pieform::hsc($element['class']);
}
$result .= ' class="' . implode(' ', $classes) . '"';
}
......
......@@ -61,7 +61,7 @@ function pieform_element_radio(Pieform $form, $element) {/*{{{*/
. ' value="' . Pieform::hsc($value) . '"'
. (($form_value == $value) ? ' checked="checked"' : '')
. '> <label for="' . $form->get_name() . '_' . $uid . '">' . Pieform::hsc($text) . "</label>"
. ($description != '' ? '<div class="radio-description">' . $description . '</div>' : '')
. ($description != '' ? '<div class="radio-description">' . Pieform::hsc($description) . '</div>' : '')
. $separator;
}
$result = substr($result, 0, -strlen($separator));
......
......@@ -51,7 +51,7 @@ function pieform_element_select(Pieform $form, $element) {/*{{{*/
if (is_array($value)) {
$value = $value['value'];
}
$result = $value . '<input type="hidden" name="' . $element['name'] . '" value="' . $key . '">';
$result = $value . '<input type="hidden" name="' . Pieform::hsc($element['name']) . '" value="' . Pieform::hsc($key) . '">';
}
return $result;
}
......
......@@ -36,10 +36,10 @@ function pieform_renderer_div(Pieform $form, $element) {/*{{{*/
// Set the class of the enclosing <div> to match that of the element
$result = '<div';
if (isset($element['name'])) {
$result .= ' id="' . $formname . '_' . $element['name'] . '_container"';
$result .= ' id="' . $formname . '_' . Pieform::hsc($element['name']) . '_container"';
}
if (!empty($element['class'])) {
$result .= ' class="' . $element['class'] . '"';
$result .= ' class="' . Pieform::hsc($element['class']) . '"';
}
$result .= '>';
......
......@@ -91,7 +91,7 @@ class FormRendererMultiColumnTable {/*{{{*/
$result .= "\t<tr";
// Set the class of the enclosing <tr> to match that of the element
if ($data['settings']['class']) {
$result .= ' class="' . $data['settings']['class'] . '"';
$result .= ' class="' . Pieform::hsc($data['settings']['class']) . '"';
}
$result .= ">\n\t\t";
......@@ -108,10 +108,10 @@ class FormRendererMultiColumnTable {/*{{{*/
$rawelement = $data['rawelements'][$k];
$result .= "\t<td";
if (isset($rawelement['name'])) {
$result .= " id=\"" . $this->form->get_name() . '_' . $rawelement['name'] . '_container"';
$result .= " id=\"" . $this->form->get_name() . '_' . Pieform::hsc($rawelement['name']) . '_container"';
}
if ($rawelement['class']) {
$result .= ' class="' . $rawelement['class'] . '"';
$result .= ' class="' . Pieform::hsc($rawelement['class']) . '"';
}
$result .= '>';
......
......@@ -44,10 +44,10 @@ function pieform_renderer_oneline(Pieform $form, $element) {/*{{{*/
// Set the class of the enclosing <div> to match that of the element
$result = '<span';
if (isset($element['name'])) {
$result .= ' id="' . $formname . '_' . $element['name'] . '_container"';
$result .= ' id="' . $formname . '_' . Pieform::hsc($element['name']) . '_container"';
}
if (!empty($element['class'])) {
$result .= ' class="' . $element['class'] . '"';
$result .= ' class="' . Pieform::hsc($element['class']) . '"';
}
$result .= '>';
......
......@@ -86,13 +86,13 @@ function pieform_renderer_table(Pieform $form, $element) {/*{{{*/
else {
$result .= "\t<tr>\n\t\t<td colspan=\"2\" class=\"description\">";
}
$result .= $element['description'];
$result .= Pieform::hsc($element['description']);
$result .= "</td>\n\t</tr>\n";
}
if (!empty($element['error'])) {
$result .= "\t<tr>\n\t\t<td colspan=\"2\" class=\"errmsg\">";
$result .= $element['error'];
$result .= Pieform::hsc($element['error']);
$result .= "</td>\n\t</tr>\n";
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment