Security fixes from master

8cc0979a · Richard Mansfield · 5199dc28 · 8cc0979a · 8cc0979a · 8cc0979a
Commit 8cc0979a authored Mar 04, 2009 by Richard Mansfield
--- a/htdocs/admin/users/edit.php
+++ b/htdocs/admin/users/edit.php
@@ -431,7 +431,7 @@ $smarty->assign('institutions', count($allinstitutions) > 1);
 $smarty->assign('institutionform', $institutionform);

 if ($id != $USER->get('id') && is_null($USER->get('parentuser'))) {
-    $loginas = get_string('loginasuser', 'admin', $user->username);
+    $loginas = get_string('loginasuser', 'admin', hsc($user->username));
 } else {
    $loginas = null;
 }

--- a/htdocs/lib/web.php
+++ b/htdocs/lib/web.php
@@ -440,7 +440,7 @@ EOF;

        if ($USER->get('parentuser')) {
            $smarty->assign('USERMASQUERADING', true);
-            $smarty->assign('masqueradedetails', get_string('youaremasqueradingas', 'mahara', display_name($USER)));
+            $smarty->assign('masqueradedetails', get_string('youaremasqueradingas', 'mahara', hsc(display_name($USER))));
            $smarty->assign('becomeyouagain',
                ' <a href="' . hsc($wwwroot) . 'admin/users/changeuser.php?restore=1">'
                . get_string('becomeadminagain', 'admin', $USER->get('parentuser')->name)

--- a/htdocs/theme/default/templates/admin/users/edit.tpl
+++ b/htdocs/theme/default/templates/admin/users/edit.tpl
@@ -2,7 +2,7 @@

 {include file="columnfullstart.tpl"}
 <div id="edituser">
-    <h2><a href="{$WWWROOT}user/view.php?id={$user->id}">{$user->firstname} {$user->lastname} ({$user->username})</a></h2>
+    <h2><a href="{$WWWROOT}user/view.php?id={$user->id}">{$user|display_name|escape}</a></h2>
    {if !empty($loginas)}
      <div><a href="{$WWWROOT}admin/users/changeuser.php?id={$user->id}">{$loginas}</a></div>
    {/if}

--- a/htdocs/theme/default/templates/searchresulttable.tpl
+++ b/htdocs/theme/default/templates/searchresulttable.tpl
@@ -26,7 +26,7 @@
        {foreach from=$results.data item=r}
          <tr class="{cycle values="r0,r1"}">
          {foreach from=$cols key=f item=c}
-            <td{if (!empty($c.class))} class="{$c.class}"{/if}>{if empty($c.template)}{$r[$f]}{else}{eval var=$c.template}{/if}</td> 
+            <td{if (!empty($c.class))} class="{$c.class}"{/if}>{if empty($c.template)}{$r[$f]|escape}{else}{eval var=$c.template}{/if}</td> 
          {/foreach}
          </tr>
        {/foreach}

--- a/htdocs/user/view.php
+++ b/htdocs/user/view.php
@@ -332,7 +332,7 @@ if ($loggedinid != $userid) {
 }

 if ($userid != $USER->get('id') && $USER->is_admin_for_user($user) && is_null($USER->get('parentuser'))) {
-    $loginas = get_string('loginasuser', 'admin', $user->username);
+    $loginas = get_string('loginasuser', 'admin', hsc($user->username));
 } else {
    $loginas = null;
 }