Commit d3de3999 authored by Richard Mansfield's avatar Richard Mansfield
Browse files

Merge commit 'a97ffa86'

parents 7b796343 a97ffa86
......@@ -481,7 +481,7 @@ $smarty->assign('institutions', count($allinstitutions) > 1);
$smarty->assign('institutionform', $institutionform);
if ($id != $USER->get('id') && is_null($USER->get('parentuser'))) {
$loginas = get_string('loginasuser', 'admin', $user->username);
$loginas = get_string('loginasuser', 'admin', hsc($user->username));
} else {
$loginas = null;
}
......
......@@ -191,10 +191,10 @@ class ArtefactTypeBlog extends ArtefactType {
if (isset($options['viewid'])) {
$smarty->assign('artefacttitle', '<a href="' . get_config('wwwroot') . 'view/artefact.php?artefact='
. $this->get('id') . '&view=' . $options['viewid']
. '">' . $this->get('title') . '</a>');
. '">' . hsc($this->get('title')) . '</a>');
}
else {
$smarty->assign('artefacttitle', $this->get('title'));
$smarty->assign('artefacttitle', hsc($this->get('title')));
}
$smarty->assign('blockid', $blockid);
......@@ -202,7 +202,7 @@ class ArtefactTypeBlog extends ArtefactType {
$smarty->assign('enc_id', json_encode($this->id));
$smarty->assign('limit', self::pagination);
$smarty->assign('loading_img', theme_get_url('images/loading.gif'));
$smarty->assign('description', $this->get('description'));
$smarty->assign('description', clean_html($this->get('description')));
// Remove unnecessary options for blog posts
unset($options['hidetitle']);
......@@ -425,15 +425,15 @@ class ArtefactTypeBlogPost extends ArtefactType {
if (isset($options['viewid'])) {
$smarty->assign('artefacttitle', '<a href="' . get_config('wwwroot') . 'view/artefact.php?artefact='
. $this->get('id') . '&view=' . $options['viewid']
. '">' . $this->get('title') . '</a>');
. '">' . hsc($this->get('title')) . '</a>');
}
else {
$smarty->assign('artefacttitle', $this->get('title'));
$smarty->assign('artefacttitle', hsc($this->get('title')));
}
}
// We need to make sure that the images in the post have the right viewid associated with them
$postcontent = $this->get('description');
$postcontent = clean_html($this->get('description'));
if (isset($options['viewid'])) {
safe_require('artefact', 'file');
$postcontent = ArtefactTypeFolder::append_view_url($postcontent, $options['viewid']);
......@@ -521,6 +521,7 @@ class ArtefactTypeBlogPost extends ArtefactType {
foreach ($result as &$post) {
$post->ctime = format_date($post->ctime, 'strftimedaydatetime');
$post->mtime = format_date($post->mtime);
$post->description = clean_html($post->description);
}
}
......
......@@ -74,7 +74,7 @@ class PluginBlocktypeImage extends PluginBlocktype {
$description = (is_a($image, 'ArtefacttypeImage')) ? $image->get('description') : $image->get('title');
if (!empty($configdata['showdescription']) && $description) {
$result .= '<p>' . $description . '</p>';
$result .= '<p>' . hsc($description) . '</p>';
}
$result .= '</div>';
}
......
......@@ -6,7 +6,7 @@
<table class="filedata">
<tr><th>{str tag=Type section=artefact.file}:</th><td>{$filetype}</td></tr>
<tr><th>{str tag=Description section=artefact.file}:</th><td>{$description|escape}</td></tr>
<tr><th>{str tag=Owner section=artefact.file}:</th><td>{$owner}</td></tr>
<tr><th>{str tag=Owner section=artefact.file}:</th><td>{$owner|escape}</td></tr>
<tr><th>{str tag=Created section=artefact.file}:</th><td>{$created}</td></tr>
<tr><th>{str tag=lastmodified section=artefact.file}:</th><td>{$modified}</td></tr>
<tr><th>{str tag=Size section=artefact.file}:</th><td>{$size|escape}</td></tr>
......
......@@ -20,7 +20,7 @@
<tr class="{cycle values=r1,r0}">
<td><img src="{$child->iconsrc}" border="0" alt="{$child->artefacttype|escape}"></td>
<td><a href="{$WWWROOT}view/artefact.php?artefact={$child->id|escape}&amp;view={$viewid|escape}" title="{$child->hovertitle}">{$child->title}</a></td>
<td>{$child->description}</td>
<td>{$child->description|escape}</td>
{if !$simpledisplay}<td>{$child->date}</td>{/if}
</tr>
{/foreach}
......
......@@ -2,8 +2,8 @@
<colgroup width="50%" span="2"></colgroup>
{foreach from=$fields key='field' item='value'}
<tr>
<td>{$field}</td>
<td>{$value}</td>
<td>{$field|escape}</td>
<td>{$value|escape}</td>
</tr>
{/foreach}
</table>
......@@ -2,7 +2,7 @@
{include file="sidebar.tpl"}
{include file="columnleftstart.tpl"}
<h2>{$subheading}</h2>
<h2>{$subheading|escape}</h2>
<div id="viewforum">
<table id="forumdescription">
<tr>
......
......@@ -481,7 +481,7 @@ EOF;
if ($USER->get('parentuser')) {
$smarty->assign('USERMASQUERADING', true);
$smarty->assign('masqueradedetails', get_string('youaremasqueradingas', 'mahara', display_name($USER)));
$smarty->assign('masqueradedetails', get_string('youaremasqueradingas', 'mahara', hsc(display_name($USER))));
$smarty->assign('becomeyouagain',
' <a href="' . hsc($wwwroot) . 'admin/users/changeuser.php?restore=1">'
. get_string('becomeadminagain', 'admin', $USER->get('parentuser')->name)
......
......@@ -3,7 +3,7 @@
{include file="columnfullstart.tpl"}
<div id="edituser" style="position: relative;">
<div style="position: absolute; top: 0; right: 0;"><a href="{$WWWROOT}user/view.php?id={$user->id}"><img src="{$WWWROOT}thumb.php?type=profileiconbyid&amp;maxwidth=100&amp;maxheight=100&amp;id={$user->profileicon}" alt=""></a></div>
<h2><a href="{$WWWROOT}user/view.php?id={$user->id}">{$user->firstname} {$user->lastname} ({$user->username})</a></h2>
<h2><a href="{$WWWROOT}user/view.php?id={$user->id}">{$user|display_name|escape}</a></h2>
{if !empty($loginas)}
<div><a href="{$WWWROOT}admin/users/changeuser.php?id={$user->id}">{$loginas}</a></div>
{/if}
......
......@@ -26,7 +26,7 @@
{foreach from=$results.data item=r}
<tr class="{cycle values="r0,r1"}">
{foreach from=$cols key=f item=c}
<td{if (!empty($c.class))} class="{$c.class}"{/if}>{if empty($c.template)}{$r[$f]}{else}{eval var=$c.template}{/if}</td>
<td{if (!empty($c.class))} class="{$c.class}"{/if}>{if empty($c.template)}{$r[$f]|escape}{else}{eval var=$c.template}{/if}</td>
{/foreach}
</tr>
{/foreach}
......
<h3>{$data.group->name}</h3>
<h3>{$data.group->name|escape}</h3>
<ul>
{foreach from=$data.menu item=item}
{if $item.path != 'groups'}
......@@ -6,7 +6,7 @@
{if $item.path == 'groups/forums' && !empty($data.forums)}
<ul>
{foreach from=$data.forums item=forum}
<li><a href="{$WWWROOT}interaction/forum/view.php?id={$forum->id}">{$forum->title}</a>
<li><a href="{$WWWROOT}interaction/forum/view.php?id={$forum->id}">{$forum->title|escape}</a>
{/foreach}
</ul>
{/if}
......
......@@ -35,7 +35,7 @@
</div>
{if $relationship == 'pending'}
<div class="message">
{str tag='whymakemeyourfriend' section='group'} {$message}
{str tag='whymakemeyourfriend' section='group'} {$message|escape}
{$requestform}
</div>
{/if}
......
......@@ -3,9 +3,9 @@
{include file="columnfullstart.tpl"}
<h2>
<a href="{$WWWROOT}view/view.php?id={$viewid}">{$viewtitle}</a>{if $ownername} {str tag=by section=view}
<a href="{$WWWROOT}{$ownerlink}">{$ownername}</a>{/if}{foreach from=$artefactpath item=a}:
{if $a.url}<a href="{$a.url}">{/if}{$a.title}{if $a.url}</a>{/if}
<a href="{$WWWROOT}view/view.php?id={$viewid}">{$viewtitle|escape}</a>{if $ownername} {str tag=by section=view}
<a href="{$WWWROOT}{$ownerlink}">{$ownername|escape}</a>{/if}{foreach from=$artefactpath item=a}:
{if $a.url}<a href="{$a.url}">{/if}{$a.title|escape}{if $a.url}</a>{/if}
{/foreach}
</h2>
......
......@@ -2,7 +2,7 @@
{include file="columnfullstart.tpl"}
<h2>{if !$new}<a href="{$WWWROOT}view/view.php?id={$viewid}">{/if}{$viewtitle}{if !$new}</a>{/if}{if $ownername} {str tag=by section=view} <a href="{$WWWROOT}{$ownerlink}">{$ownername}</a>{/if}</h2>
<h2>{if !$new}<a href="{$WWWROOT}view/view.php?id={$viewid}">{/if}{$viewtitle|escape}{if !$new}</a>{/if}{if $ownername} {str tag=by section=view} <a href="{$WWWROOT}{$ownerlink}">{$ownername|escape}</a>{/if}</h2>
{if $can_edit}
<div class="fr editview">
......
......@@ -277,7 +277,7 @@ else if (!empty($loggedinid)) {
}
if ($userid != $USER->get('id') && $USER->is_admin_for_user($user) && is_null($USER->get('parentuser'))) {
$loginas = get_string('loginasuser', 'admin', $user->username);
$loginas = get_string('loginasuser', 'admin', hsc($user->username));
} else {
$loginas = null;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment