Commit d7e90db7 authored by Francois Marier's avatar Francois Marier
Browse files

Pieforms: harden all renderers to help prevent XSS attacks


Signed-off-by: default avatarFrancois Marier <francois@catalyst.net.nz>
parent 656b63cb
......@@ -36,10 +36,10 @@ function pieform_renderer_div(Pieform $form, $element) {/*{{{*/
// Set the class of the enclosing <div> to match that of the element
$result = '<div';
if (isset($element['name'])) {
$result .= ' id="' . $formname . '_' . $element['name'] . '_container"';
$result .= ' id="' . $formname . '_' . Pieform::hsc($element['name']) . '_container"';
}
if (!empty($element['class'])) {
$result .= ' class="' . $element['class'] . '"';
$result .= ' class="' . Pieform::hsc($element['class']) . '"';
}
$result .= '>';
......
......@@ -91,7 +91,7 @@ class FormRendererMultiColumnTable {/*{{{*/
$result .= "\t<tr";
// Set the class of the enclosing <tr> to match that of the element
if ($data['settings']['class']) {
$result .= ' class="' . $data['settings']['class'] . '"';
$result .= ' class="' . Pieform::hsc($data['settings']['class']) . '"';
}
$result .= ">\n\t\t";
......@@ -108,10 +108,10 @@ class FormRendererMultiColumnTable {/*{{{*/
$rawelement = $data['rawelements'][$k];
$result .= "\t<td";
if (isset($rawelement['name'])) {
$result .= " id=\"" . $this->form->get_name() . '_' . $rawelement['name'] . '_container"';
$result .= " id=\"" . $this->form->get_name() . '_' . Pieform::hsc($rawelement['name']) . '_container"';
}
if ($rawelement['class']) {
$result .= ' class="' . $rawelement['class'] . '"';
$result .= ' class="' . Pieform::hsc($rawelement['class']) . '"';
}
$result .= '>';
......
......@@ -44,10 +44,10 @@ function pieform_renderer_oneline(Pieform $form, $element) {/*{{{*/
// Set the class of the enclosing <div> to match that of the element
$result = '<span';
if (isset($element['name'])) {
$result .= ' id="' . $formname . '_' . $element['name'] . '_container"';
$result .= ' id="' . $formname . '_' . Pieform::hsc($element['name']) . '_container"';
}
if (!empty($element['class'])) {
$result .= ' class="' . $element['class'] . '"';
$result .= ' class="' . Pieform::hsc($element['class']) . '"';
}
$result .= '>';
......
......@@ -86,13 +86,13 @@ function pieform_renderer_table(Pieform $form, $element) {/*{{{*/
else {
$result .= "\t<tr>\n\t\t<td colspan=\"2\" class=\"description\">";
}
$result .= $element['description'];
$result .= Pieform::hsc($element['description']);
$result .= "</td>\n\t</tr>\n";
}
if (!empty($element['error'])) {
$result .= "\t<tr>\n\t\t<td colspan=\"2\" class=\"errmsg\">";
$result .= $element['error'];
$result .= Pieform::hsc($element['error']);
$result .= "</td>\n\t</tr>\n";
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment