Pieforms: harden all renderers to help prevent XSS attacks

Signed-off-by: Francois Marier <francois@catalyst.net.nz>

Pieforms: harden all renderers to help prevent XSS attacks
Signed-off-by: Francois Marier <francois@catalyst.net.nz>
d7e90db7 · Francois Marier · 656b63cb · d7e90db7 · d7e90db7 · d7e90db7
Commit d7e90db7 authored May 14, 2010 by Francois Marier
--- a/htdocs/lib/pieforms/pieform/renderers/div.php
+++ b/htdocs/lib/pieforms/pieform/renderers/div.php
@@ -36,10 +36,10 @@ function pieform_renderer_div(Pieform $form, $element) {/*{{{*/
    // Set the class of the enclosing <div> to match that of the element
    $result = '<div';
    if (isset($element['name'])) {
-        $result .= ' id="' . $formname . '_' . $element['name'] . '_container"';
+        $result .= ' id="' . $formname . '_' .  Pieform::hsc($element['name']) . '_container"';
    }
    if (!empty($element['class'])) {
-        $result .= ' class="' . $element['class'] . '"';
+        $result .= ' class="' . Pieform::hsc($element['class']) . '"';
    }
    $result .= '>';

--- a/htdocs/lib/pieforms/pieform/renderers/multicolumntable.php
+++ b/htdocs/lib/pieforms/pieform/renderers/multicolumntable.php
@@ -91,7 +91,7 @@ class FormRendererMultiColumnTable {/*{{{*/
            $result .= "\t<tr";
            // Set the class of the enclosing <tr> to match that of the element
            if ($data['settings']['class']) {
-                $result .= ' class="' . $data['settings']['class'] . '"';
+                $result .= ' class="' . Pieform::hsc($data['settings']['class']) . '"';
            }
            $result .= ">\n\t\t";
@@ -108,10 +108,10 @@ class FormRendererMultiColumnTable {/*{{{*/
                $rawelement = $data['rawelements'][$k];
                $result .= "\t<td";
                if (isset($rawelement['name'])) {
-                    $result .= " id=\"" . $this->form->get_name() . '_' . $rawelement['name'] . '_container"';
+                    $result .= " id=\"" . $this->form->get_name() . '_' . Pieform::hsc($rawelement['name']) . '_container"';
                }
                if ($rawelement['class']) {
-                    $result .= ' class="' . $rawelement['class'] . '"';
+                    $result .= ' class="' . Pieform::hsc($rawelement['class']) . '"';
                }
                $result .= '>';

--- a/htdocs/lib/pieforms/pieform/renderers/oneline.php
+++ b/htdocs/lib/pieforms/pieform/renderers/oneline.php
@@ -44,10 +44,10 @@ function pieform_renderer_oneline(Pieform $form, $element) {/*{{{*/
    // Set the class of the enclosing <div> to match that of the element
    $result = '<span';
    if (isset($element['name'])) {
-        $result .= ' id="' . $formname . '_' . $element['name'] . '_container"';
+        $result .= ' id="' . $formname . '_' . Pieform::hsc($element['name']) . '_container"';
    }
    if (!empty($element['class'])) {
-        $result .= ' class="' . $element['class'] . '"';
+        $result .= ' class="' . Pieform::hsc($element['class']) . '"';
    }
    $result .= '>';

--- a/htdocs/lib/pieforms/pieform/renderers/table.php
+++ b/htdocs/lib/pieforms/pieform/renderers/table.php
@@ -86,13 +86,13 @@ function pieform_renderer_table(Pieform $form, $element) {/*{{{*/
        else {
            $result .= "\t<tr>\n\t\t<td colspan=\"2\" class=\"description\">";
        }
-        $result .= $element['description'];
+        $result .= Pieform::hsc($element['description']);
        $result .= "</td>\n\t</tr>\n";
    }
    if (!empty($element['error'])) {
        $result .= "\t<tr>\n\t\t<td colspan=\"2\" class=\"errmsg\">";
-        $result .= $element['error'];
+        $result .= Pieform::hsc($element['error']);
        $result .= "</td>\n\t</tr>\n";
    }