Commit a053c5e9 authored by Francois Marier's avatar Francois Marier
Browse files

Pieforms: harden all elements to help prevent XSS attacks


Signed-off-by: default avatarFrancois Marier <francois@catalyst.net.nz>
parent d7e90db7
......@@ -35,7 +35,7 @@
function pieform_element_bytes(Pieform $form, $element) {/*{{{*/
$formname = $form->get_name();
$result = '';
$name = $element['name'];
$name = Pieform::hsc($element['name']);
if (!isset($element['defaultvalue'])) {
$element['defaultvalue'] = null;
}
......@@ -67,11 +67,11 @@ function pieform_element_bytes(Pieform $form, $element) {/*{{{*/
// Same with the select. And do the events using mochikit signal instead of dom events
$numberinput = '<input';
$numberinput .= ' type="text" size="6" name="' . $name . '"';
$numberinput .= ' id="' . $formname . '_' . $name . '" value="' . $values['number'] . '" tabindex="' . $element['tabindex'] . '"';
$numberinput .= ' id="' . $formname . '_' . $name . '" value="' . Pieform::hsc($values['number']) . '" tabindex="' . Pieform::hsc($element['tabindex']) . '"';
$numberinput .= (isset($element['error']) ? ' class="error"' : '') . ">\n";
$uselect = '<select onchange="' . $name . '_change()" ';
$uselect .= 'name="' . $name . '_units" id="' . $formname . '_' . $name . '_units"' . ' tabindex="' . $element['tabindex'] . "\">\n";
$uselect .= 'name="' . $name . '_units" id="' . $formname . '_' . $name . '_units"' . ' tabindex="' . Pieform::hsc($element['tabindex']) . "\">\n";
foreach (pieform_element_bytes_get_bytes_units() as $u) {
$uselect .= "\t<option value=\"$u\"" . (($values['units'] == $u) ? ' selected="selected"' : '') . '>'
. $form->i18n('element', 'bytes', $u, $element) . "</option>\n";
......
......@@ -33,7 +33,7 @@
*/
function pieform_element_date(Pieform $form, $element) {/*{{{*/
$result = '';
$name = $element['name'];
$name = Pieform::hsc($element['name']);
$element['minyear'] = (isset($element['minyear'])) ? intval($element['minyear']) : 1950;
$element['maxyear'] = (isset($element['maxyear'])) ? intval($element['maxyear']) : 2050;
$required = (!empty($element['rules']['required']));
......@@ -45,7 +45,7 @@ function pieform_element_date(Pieform $form, $element) {/*{{{*/
$value = pieform_element_date_get_timeperiod_value('year', $element['minyear'], $element['maxyear'], $element, $form);
$year = '<select name="' . $name . '_year" id="' . $name . '_year"'
. (!$required && !isset($element['defaultvalue']) ? ' disabled="disabled"' : '')
. ' tabindex="' . $element['tabindex'] . "\">\n";
. ' tabindex="' . Pieform::hsc($element['tabindex']) . "\">\n";
for ($i = $element['minyear']; $i <= $element['maxyear']; $i++) {
$year .= "\t<option value=\"$i\"" . (($value == $i) ? ' selected="selected"' : '') . ">$i</option>\n";
}
......@@ -55,7 +55,7 @@ function pieform_element_date(Pieform $form, $element) {/*{{{*/
$value = pieform_element_date_get_timeperiod_value('month', 1, 12, $element, $form);
$month = '<select name="' . $name . '_month" id="' . $name . '_month"'
. (!$required && !isset($element['defaultvalue']) ? ' disabled="disabled"' : '')
. ' tabindex="' . $element['tabindex'] . "\">\n";
. ' tabindex="' . Pieform::hsc($element['tabindex']) . "\">\n";
$monthnames = explode(',', $form->i18n('element', 'date', 'monthnames', $element));
for ($i = 1; $i <= 12; $i++) {
$month .= "\t<option value=\"$i\"" . (($value == $i) ? ' selected="selected"' : '') . '>' . $monthnames[$i-1] . "</option>\n";
......@@ -66,7 +66,7 @@ function pieform_element_date(Pieform $form, $element) {/*{{{*/
$value = pieform_element_date_get_timeperiod_value('day', 1, 31, $element, $form);
$day = '<select name="' . $name . '_day" id="' . $name . '_day"'
. (!$required && !isset($element['defaultvalue']) ? ' disabled="disabled"' : '')
. ' tabindex="' . $element['tabindex'] . "\">\n";
. ' tabindex="' . Pieform::hsc($element['tabindex']) . "\">\n";
for ($i = 1; $i <= 31; $i++) {
$day .= "\t<option value=\"$i\"" . (($value == $i) ? ' selected="selected"' : '') . ">$i</option>\n";
}
......@@ -98,7 +98,7 @@ EOF;
$optional .= ' ' . $form->i18n('element', 'date', 'or', $element) . ' <input type="checkbox" '
. (isset($element['defaultvalue']) ? '' : 'checked="checked" ')
. 'name="' . $name . '_optional" id="' . $name . '_optional" onchange="' . $name . '_toggle(this)" '
. 'tabindex="' . $element['tabindex'] . '">';
. 'tabindex="' . Pieform::hsc($element['tabindex']) . '">';
$optional .= ' <label for="' . $name . '_optional">' . $form->i18n('element', 'date', 'notspecified', $element);
$result .= $optional;
......
......@@ -35,7 +35,7 @@
function pieform_element_expiry(Pieform $form, $element) {/*{{{*/
$formname = $form->get_name();
$result = '';
$name = $element['name'];
$name = Pieform::hsc($element['name']);
if (!isset($element['defaultvalue'])) {
$element['defaultvalue'] = null;
}
......@@ -68,11 +68,11 @@ function pieform_element_expiry(Pieform $form, $element) {/*{{{*/
$numberinput = '<input';
$numberinput .= ($values['units'] == 'noenddate' && empty($element['rules']['required'])) ? ' disabled="disabled"' : '';
$numberinput .= ' type="text" size="4" name="' . $name . '"';
$numberinput .= ' id="' . $formname . '_' . $name . '" value="' . $values['number'] . '" tabindex="' . $element['tabindex'] . '"';
$numberinput .= ' id="' . $formname . '_' . $name . '" value="' . Pieform::hsc($values['number']) . '" tabindex="' . Pieform::hsc($element['tabindex']) . '"';
$numberinput .= (isset($element['error']) ? ' class="error"' : '') . ">\n";
$uselect = '<select onchange="' . $name . '_change()" ';
$uselect .= 'name="' . $name . '_units" id="' . $formname . '_' . $name . '_units"' . ' tabindex="' . $element['tabindex'] . "\">\n";
$uselect .= 'name="' . $name . '_units" id="' . $formname . '_' . $name . '_units"' . ' tabindex="' . Pieform::hsc($element['tabindex']) . "\">\n";
foreach (pieform_element_expire_get_expiry_units() as $u) {
// Don't allow 'no end date' if the element is required
if ($u == 'noenddate' && !empty($element['rules']['required'])) {
......
......@@ -51,7 +51,7 @@ function pieform_element_fieldset(Pieform $form, $element) {/*{{{*/
$classes[] = 'collapsed';
}
if (!empty($element['class'])) {
$classes[] = $element['class'];
$classes[] = Pieform::hsc($element['class']);
}
$result .= ' class="' . implode(' ', $classes) . '"';
}
......
......@@ -61,7 +61,7 @@ function pieform_element_radio(Pieform $form, $element) {/*{{{*/
. ' value="' . Pieform::hsc($value) . '"'
. (($form_value == $value) ? ' checked="checked"' : '')
. '> <label for="' . $form->get_name() . '_' . $uid . '">' . Pieform::hsc($text) . "</label>"
. ($description != '' ? '<div class="radio-description">' . $description . '</div>' : '')
. ($description != '' ? '<div class="radio-description">' . Pieform::hsc($description) . '</div>' : '')
. $separator;
}
$result = substr($result, 0, -strlen($separator));
......
......@@ -51,7 +51,7 @@ function pieform_element_select(Pieform $form, $element) {/*{{{*/
if (is_array($value)) {
$value = $value['value'];
}
$result = $value . '<input type="hidden" name="' . $element['name'] . '" value="' . $key . '">';
$result = $value . '<input type="hidden" name="' . Pieform::hsc($element['name']) . '" value="' . Pieform::hsc($key) . '">';
}
return $result;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment