Index: branches/5.2.x/core/kernel/managers/url_manager.php =================================================================== diff -u -N -r15727 -r15856 --- branches/5.2.x/core/kernel/managers/url_manager.php (.../url_manager.php) (revision 15727) +++ branches/5.2.x/core/kernel/managers/url_manager.php (.../url_manager.php) (revision 15856) @@ -1,6 +1,6 @@ get(kOpenerStack::LAST_ELEMENT, true)); $ret = $this->Application->BaseURL($prefix, $ssl) . $index_file . '?' . ENV_VAR_NAME . '=' . $env; + // TODO: tag, which uses resulting url should do escaping if ( isset($params['escape']) && $params['escape'] ) { - $ret = addslashes($ret); + $ret = kUtil::escape($ret, kUtil::ESCAPE_JS); } if ( isset($params['m_opener']) && $params['m_opener'] == 'u' ) { Index: branches/5.2.x/core/admin_templates/incs/footer.tpl =================================================================== diff -u -N -r15712 -r15856 --- branches/5.2.x/core/admin_templates/incs/footer.tpl (.../footer.tpl) (revision 15712) +++ branches/5.2.x/core/admin_templates/incs/footer.tpl (.../footer.tpl) (revision 15856) @@ -1,5 +1,5 @@ ', "", $ret); + $ret = kUtil::escape($ret, kUtil::ESCAPE_JS); } if ($flag_values['strip_nl']) { // 1 - strip \r,\n; 2 - strip tabs too @@ -329,7 +327,7 @@ { // echo " prefix : $prefix
"; if (!isset($this->Prefixes[$prefix])) - $this->Application->ApplicationDie ("Filepath and ClassName for prefix $prefix not defined while processing ".htmlspecialchars($tag->GetFullTag(), null, CHARSET)."!"); + $this->Application->ApplicationDie ("Filepath and ClassName for prefix $prefix not defined while processing ".kUtil::escape($tag->GetFullTag())."!"); include_once($this->Prefixes[$prefix]['path']); $ClassName = $this->Prefixes[$prefix]['class']; $a_processor = new $ClassName($prefix); Index: branches/5.2.x/core/kernel/languages/phrases_cache.php =================================================================== diff -u -N -r15736 -r15856 --- branches/5.2.x/core/kernel/languages/phrases_cache.php (.../phrases_cache.php) (revision 15736) +++ branches/5.2.x/core/kernel/languages/phrases_cache.php (.../phrases_cache.php) (revision 15856) @@ -1,6 +1,6 @@ Application->isAdmin && (EDITING_MODE == EDITING_MODE_CONTENT)) { // front-end viewed in content mode - $this->_editExisting = true; - $this->_editMissing = true; + $this->_editExisting = $this->_editMissing = true; $this->_simpleEditingMode = !$this->Application->isDebugMode(); $this->_translateHtmlTag = 'span'; } - $this->_editLinkMask = 'javascript:translate_phrase(\'#LABEL#\', \'' . $this->_phraseEditTemplate . '\', {event: \'OnPreparePhrase\', simple_mode: ' . ($this->_simpleEditingMode ? 'true' : 'false') . '});'; + $this->_editLinkMask = $this->getRawEditLink('#LABEL#'); if (defined('DEBUG_MODE') && DEBUG_MODE && !$this->Application->GetVar('admin')) { // admin and front-end while not viewed using content mode (via admin) @@ -113,17 +113,66 @@ 'm_opener' => 'd', 'phrases_label' => '#LABEL#', 'phrases_event' => 'OnPreparePhrase', - 'next_template' => urlencode('external:' . $_SERVER['REQUEST_URI']), + 'next_template' => kUtil::escape('external:' . $_SERVER['REQUEST_URI'], kUtil::ESCAPE_URL), 'pass' => 'm,phrases' ); - $this->_escapePhraseName = false; + $this->_phraseEscapeStrategy = kUtil::ESCAPE_URL; $this->_editLinkMask = $this->Application->HREF($this->_phraseEditTemplate, '', $url_params); } } } /** + * Returns raw link for given phrase editing. + * + * @param string $label Phrase label. + * + * @return string + */ + protected function getRawEditLink($label) + { + $function_params = array( + $label, + $this->_phraseEditTemplate, + array('event' => 'OnPreparePhrase', 'simple_mode' => $this->_simpleEditingMode), + ); + + return 'javascript:translate_phrase(' . implode(',', array_map('json_encode', $function_params)) . ');'; + } + + /** + * Returns final link (using mask) for given phrase editing. + * + * @param string $label Phrase label. + * + * @return string + */ + protected function getEditLink($label) + { + $escaped_label = kUtil::escape($label, $this->_phraseEscapeStrategy); + + return str_replace('#LABEL#', $escaped_label, $this->_editLinkMask); + } + + /** + * Returns HTML code for label editing. + * + * @param string $url Phrase editing url. + * @param string $text Link text to show (usually label in upper case). + * @param string $alt Text to display when hovered over the link. + * + * @return string + */ + protected function getEditHtmlCode($url, $text, $alt) + { + $url = kUtil::escape($url, kUtil::ESCAPE_HTML); + $ret = '<' . $this->_translateHtmlTag . ' href="' . $url . '" name="cms-translate-phrase" title="' . $alt . '">' . $text . '_translateHtmlTag . '>'; + + return $this->fromTag ? $this->escapeTagReserved($ret) : $ret; + } + + /** * Loads phrases from current language * Method is called manually (not from kFactory class) too * @@ -214,47 +263,36 @@ return ''; } - $original_label = $this->_escapePhraseName ? addslashes($label) : $label; - $label = mb_strtoupper($label); + $original_label = $label; - if ( substr($label, 0, 5) == 'HINT:' || substr($label, 0, 7) == 'COLUMN:' ) { - // don't just check for ":" since phrases could have ":" in their names (e.g. advanced permission labels) - list ($field_prefix, $label) = explode(':', $label, 2); - $translation_field = mb_convert_case($field_prefix, MB_CASE_TITLE) . 'Translation'; - } - else { - $translation_field = 'Translation'; - } + list ($field_prefix, $label) = $this->parseLabel($label); + $translation_field = mb_convert_case($field_prefix, MB_CASE_TITLE) . 'Translation'; + $uppercase_label = mb_strtoupper($label); - $cache_key = ($allow_editing ? '' : 'NE:') . $label; + $cache_key = ($allow_editing ? '' : 'NE:') . $uppercase_label; if ( isset($this->Phrases[$cache_key]) ) { $translated_label = $this->Phrases[$cache_key][$translation_field]; - if ($this->_editExisting && $allow_editing && !array_key_exists($label, $this->_missingPhrases)) { + if ($this->_editExisting && $allow_editing && !array_key_exists($uppercase_label, $this->_missingPhrases)) { // option to change translation for Labels - $original_label = explode(':', $original_label, 2); - $edit_url = 'javascript:translate_phrase(\'' . end($original_label) . '\', \'' . $this->_phraseEditTemplate . '\', {event: \'OnPreparePhrase\', simple_mode: ' . ($this->_simpleEditingMode ? 'true' : 'false') . '});'; - $translated_label = '<' . $this->_translateHtmlTag . ' href="' . $edit_url . '" name="cms-translate-phrase" title="Edit translation">' . $translated_label . '_translateHtmlTag . '>'; - - if ($this->fromTag) { - $translated_label = $this->escapeTagReserved($translated_label); - } + $edit_link = $this->getRawEditLink($label); + $translated_label = $this->getEditHtmlCode($edit_link, $translated_label, 'Edit translation'); } return $translated_label; } - $this->LoadPhraseByLabel($label, $original_label, $allow_editing, $use_admin); + $this->LoadPhraseByLabel($uppercase_label, $original_label, $allow_editing, $use_admin); return $this->GetPhrase($original_label, $allow_editing); } - function LoadPhraseByLabel($label, $original_label, $allow_editing = true, $use_admin = false) + function LoadPhraseByLabel($uppercase_label, $original_label, $allow_editing = true, $use_admin = false) { - if ( !$allow_editing && !$use_admin && !isset($this->_missingPhrases[$label]) && isset($this->Phrases[$label]) ) { - // label is aready translated, but it's version without on the fly translation code is requested - $this->Phrases['NE:' . $label] = $this->Phrases[$label]; + if ( !$allow_editing && !$use_admin && !isset($this->_missingPhrases[$uppercase_label]) && isset($this->Phrases[$uppercase_label]) ) { + // label is already translated, but it's version without on the fly translation code is requested + $this->Phrases['NE:' . $uppercase_label] = $this->Phrases[$uppercase_label]; return true; } @@ -263,31 +301,27 @@ $sql = 'SELECT PhraseId, l' . $language_id . '_Translation AS Translation, l' . $language_id . '_HintTranslation AS HintTranslation, l' . $language_id . '_ColumnTranslation AS ColumnTranslation FROM ' . TABLE_PREFIX . 'LanguageLabels - WHERE (PhraseKey = ' . $this->Conn->qstr($label) . ') AND (l' . $language_id . '_Translation IS NOT NULL)'; + WHERE (PhraseKey = ' . $this->Conn->qstr($uppercase_label) . ') AND (l' . $language_id . '_Translation IS NOT NULL)'; $res = $this->Conn->GetRow($sql); if ($res === false || count($res) == 0) { - $translation = '!' . $label . '!'; + $translation = '!' . $uppercase_label . '!'; if ($this->_editMissing && $allow_editing) { - $original_label = explode(':', $original_label, 2); - $edit_url = str_replace('#LABEL#', end($original_label), $this->_editLinkMask); - $translation = '<' . $this->_translateHtmlTag . ' href="' . $edit_url . '" name="cms-translate-phrase" title="Translate">!' . $label . '!_translateHtmlTag . '>'; + list (, $original_label) = $this->parseLabel($original_label); + $edit_url = $this->getEditLink($original_label); + $translation = $this->getEditHtmlCode($edit_url, $translation, 'Translate'); - if ($this->fromTag) { - $translation = $this->escapeTagReserved($translation); - } - - $this->_missingPhrases[$label] = true; // add as key for faster accessing + $this->_missingPhrases[$uppercase_label] = true; // add as key for faster accessing } - // add it as already cached, as long as we dont need to cache not found phrase - $this->AddCachedPhrase($label, $translation, $allow_editing); + // add it as already cached, as long as we don't need to cache not found phrase + $this->AddCachedPhrase($uppercase_label, $translation, $allow_editing); return false; } - $cache_key = ($allow_editing ? '' : 'NE:') . $label; + $cache_key = ($allow_editing ? '' : 'NE:') . $uppercase_label; $this->Phrases[$cache_key] = $res; array_push($this->Ids, $res['PhraseId']); @@ -297,6 +331,22 @@ } /** + * Parse label into translation field prefix and actual label. + * + * @param string $label Phrase label. + * + * @return array + */ + protected function parseLabel($label) + { + if ( strpos($label, ':') === false || preg_match('/^(HINT|COLUMN):(.*)$/i', $label, $regs) == 0 ) { + return array('', $label); + } + + return array($regs[1], $regs[2]); + } + + /** * Sort params by name and then by length * * @param string $a @@ -355,9 +405,10 @@ */ function escapeTagReserved($text) { - $reserved = Array('"',"'"); // = - $replacement = Array('\"',"\'"); // \= - return str_replace($reserved,$replacement,$text); + $reserved = Array('"', "'"); // = + $replacement = Array('\"', "\'"); // \= + + return str_replace($reserved, $replacement, $text); } } \ No newline at end of file Index: branches/5.2.x/core/admin_templates/browser/browser_footer.tpl =================================================================== diff -u -N -r14244 -r15856 --- branches/5.2.x/core/admin_templates/browser/browser_footer.tpl (.../browser_footer.tpl) (revision 14244) +++ branches/5.2.x/core/admin_templates/browser/browser_footer.tpl (.../browser_footer.tpl) (revision 15856) @@ -5,9 +5,9 @@ if (el) { document.body.style.height = '100%'; document.body.style.overflow = 'hidden'; - document.body.scroll = 'no' + document.body.scroll = 'no'; - var _Simultanious_Edit_Message = ''; + var _Simultaneous_Edit_Message = ''; var _DropTempUrl = ''; addLoadEvent(function() {Form.Init('scroll_container')}); } Index: branches/5.2.x/core/admin_templates/tree.tpl =================================================================== diff -u -N -r15323 -r15856 --- branches/5.2.x/core/admin_templates/tree.tpl (.../tree.tpl) (revision 15323) +++ branches/5.2.x/core/admin_templates/tree.tpl (.../tree.tpl) (revision 15856) @@ -134,7 +134,8 @@ getFrame('head').$('#extra_toolbar').html(''); } - var $phrase = ""; + var $phrase = ''; + if (getFrame('main').$edit_mode) { return confirm($phrase) ? true : false; } Index: branches/5.2.x/core/install.php =================================================================== diff -u -N -r15725 -r15856 --- branches/5.2.x/core/install.php (.../install.php) (revision 15725) +++ branches/5.2.x/core/install.php (.../install.php) (revision 15856) @@ -1,6 +1,6 @@ errorMessage = 'Query:
'.htmlspecialchars($sql, null, 'UTF-8').'
execution result is error:
['.$code.'] '.$msg; + $this->errorMessage = 'Query:
'.htmlspecialchars($sql, ENT_QUOTES, 'UTF-8').'
execution result is error:
['.$code.'] '.$msg; return true; } Index: branches/5.2.x/core/units/logs/change_logs/changes_formatter.php =================================================================== diff -u -N -r15601 -r15856 --- branches/5.2.x/core/units/logs/change_logs/changes_formatter.php (.../changes_formatter.php) (revision 15601) +++ branches/5.2.x/core/units/logs/change_logs/changes_formatter.php (.../changes_formatter.php) (revision 15856) @@ -1,6 +1,6 @@ ', "", $text); + + return $text; + } + + if ( $strategy == self::ESCAPE_URL ) { + return rawurlencode($text); + } + + if ( $strategy == self::ESCAPE_RAW ) { + return $text; + } + + throw new InvalidArgumentException(sprintf('Unknown escape strategy "%s"', $strategy)); + } + } /** Index: branches/5.2.x/core/units/content/content_eh.php =================================================================== diff -u -N -r15325 -r15856 --- branches/5.2.x/core/units/content/content_eh.php (.../content_eh.php) (revision 15325) +++ branches/5.2.x/core/units/content/content_eh.php (.../content_eh.php) (revision 15856) @@ -1,6 +1,6 @@ getTransitParams(); foreach ($transit_params as $param_name => $param_value) { - $event->SetRedirectParam($param_name, urlencode($param_value)); + $event->SetRedirectParam($param_name, kUtil::escape($param_value, kUtil::ESCAPE_URL)); } } Index: branches/5.2.x/core/units/admin/admin_tag_processor.php =================================================================== diff -u -N -r15618 -r15856 --- branches/5.2.x/core/units/admin/admin_tag_processor.php (.../admin_tag_processor.php) (revision 15618) +++ branches/5.2.x/core/units/admin/admin_tag_processor.php (.../admin_tag_processor.php) (revision 15856) @@ -1,6 +1,6 @@ Application->Phrase($params['label']); - $ret = str_replace(Array('<', '>', 'br/', 'br /', "\n", "\r"), Array('<', '>', 'br', 'br', '', ''), $ret); - if (getArrayValue($params, 'escape')) { - $ret = addslashes($ret); - } - $ret = str_replace('
', '\n', $ret); - return $ret; - } - /** * Draws section tabs using block name passed * @@ -978,10 +967,9 @@ foreach ($a_data as $a_row) { $cells = ''; - $a_row = array_map('htmlspecialchars', $a_row); foreach ($a_row as $value) { - $cells .= '' . $value . ''; + $cells .= '' . kUtil::escape($value, kUtil::ESCAPE_HTML) . ''; } $ret .= $this->Application->ParseBlock(Array ('name' => $block, 'cells' => $cells)); Index: branches/5.2.x/core/admin_templates/js/forms.js =================================================================== diff -u -N -r15804 -r15856 --- branches/5.2.x/core/admin_templates/js/forms.js (.../forms.js) (revision 15804) +++ branches/5.2.x/core/admin_templates/js/forms.js (.../forms.js) (revision 15856) @@ -197,8 +197,8 @@ this.displayFirstError(); - if (_Simultanious_Edit_Message != '') { - alert(_Simultanious_Edit_Message); + if (_Simultaneous_Edit_Message != '') { + alert(_Simultaneous_Edit_Message); } this.InitOnChange(); Index: branches/5.2.x/core/install/upgrades.sql =================================================================== diff -u -N -r15761 -r15856 --- branches/5.2.x/core/install/upgrades.sql (.../upgrades.sql) (revision 15761) +++ branches/5.2.x/core/install/upgrades.sql (.../upgrades.sql) (revision 15856) @@ -2890,3 +2890,8 @@ WHERE ModuleOwner = 'In-Portal' AND Section = 'in-portal:configure_categories' AND DisplayOrder > 10.10 AND DisplayOrder < 20; INSERT INTO SystemSettings VALUES(DEFAULT, 'CheckViewPermissionsInCatalog', '1', 'In-Portal', 'in-portal:configure_categories', 'la_title_General', 'la_config_CheckViewPermissionsInCatalog', 'radio', NULL, '1=la_Yes||0=la_No', 10.11, 0, 1, 'hint:la_config_CheckViewPermissionsInCatalog'); + +# ===== v 5.2.1-RC1 ===== +UPDATE LanguageLabels +SET l1_Translation = REPLACE(l1_Translation, '
', '\n') +WHERE PhraseKey = 'LA_EDITINGINPROGRESS'; Index: branches/5.2.x/core/units/configuration/configuration_event_handler.php =================================================================== diff -u -N -r15781 -r15856 --- branches/5.2.x/core/units/configuration/configuration_event_handler.php (.../configuration_event_handler.php) (revision 15781) +++ branches/5.2.x/core/units/configuration/configuration_event_handler.php (.../configuration_event_handler.php) (revision 15856) @@ -1,6 +1,6 @@ ' . $of_label . ' ' . $suggestion_module . ''; - echo '' . htmlspecialchars($suggestion_title, null, CHARSET) . ''; + echo '' . kUtil::escape($suggestion_title, kUtil::ESCAPE_HTML) . ''; } echo ''; Index: branches/5.2.x/core/install/install_toolkit.php =================================================================== diff -u -N -r15601 -r15856 --- branches/5.2.x/core/install/install_toolkit.php (.../install_toolkit.php) (revision 15601) +++ branches/5.2.x/core/install/install_toolkit.php (.../install_toolkit.php) (revision 15856) @@ -1,6 +1,6 @@ Conn->Query($sql); if ($this->Conn->getErrorCode() != 0) { if (is_object($this->_installator)) { - $this->_installator->errorMessage = 'Error: ('.$this->Conn->getErrorCode().') '.$this->Conn->getErrorMsg().'

Last Database Query:
'; + $this->_installator->errorMessage = 'Error: ('.$this->Conn->getErrorCode().') '.$this->Conn->getErrorMsg().'

Last Database Query:
'; $this->_installator->LastQueryNum = $i + 1; } return false; @@ -728,7 +728,7 @@ $image_src = $this->Application->BaseURL() . $image_src; } - $ret[] = '' . htmlspecialchars($module_name, null, 'UTF-8') . ''; + $ret[] = '' . htmlspecialchars($module_name, ENT_QUOTES, 'UTF-8') . ''; } if (array_key_exists('description', $module_info) && $module_info['description']) { Index: branches/5.2.x/core/kernel/processors/main_processor.php =================================================================== diff -u -N -r15615 -r15856 --- branches/5.2.x/core/kernel/processors/main_processor.php (.../main_processor.php) (revision 15615) +++ branches/5.2.x/core/kernel/processors/main_processor.php (.../main_processor.php) (revision 15856) @@ -1,6 +1,6 @@ 0, - 'next_template' => urlencode('external:' . $_SERVER['REQUEST_URI']), + 'next_template' => kUtil::escape('external:' . $_SERVER['REQUEST_URI'], kUtil::ESCAPE_URL), ); } else { Index: branches/5.2.x/core/kernel/utility/http_query.php =================================================================== diff -u -N -r15707 -r15856 --- branches/5.2.x/core/kernel/utility/http_query.php (.../http_query.php) (revision 15707) +++ branches/5.2.x/core/kernel/utility/http_query.php (.../http_query.php) (revision 15856) @@ -1,6 +1,6 @@ Application->isAdmin) { - $value = htmlspecialchars($value, null, CHARSET); + // TODO: always escape output instead of input + $value = kUtil::escape($value, kUtil::ESCAPE_HTML); } $array[$key] = $value; Index: branches/5.2.x/core/units/helpers/file_helper.php =================================================================== diff -u -N -r15803 -r15856 --- branches/5.2.x/core/units/helpers/file_helper.php (.../file_helper.php) (revision 15803) +++ branches/5.2.x/core/units/helpers/file_helper.php (.../file_helper.php) (revision 15856) @@ -1,6 +1,6 @@ Application->BaseURL(), '/') . $url; Index: branches/5.2.x/core/admin_templates/incs/menu_blocks.tpl =================================================================== diff -u -N -r14572 -r15856 --- branches/5.2.x/core/admin_templates/incs/menu_blocks.tpl (.../menu_blocks.tpl) (revision 14572) +++ branches/5.2.x/core/admin_templates/incs/menu_blocks.tpl (.../menu_blocks.tpl) (revision 15856) @@ -3,7 +3,7 @@ - $Menus[''].addItem(rs('.filter.', true), '', 'javascript:',); + $Menus[''].addItem(rs('.filter.', true), '', 'javascript:',); @@ -39,7 +39,7 @@ $Menus[''+'_filter_menu'].addSeparator(); - + // per page menu $Menus[''+'_perpage_menu'] = menuMgr.createMenu(rs('.perpage.menu')); @@ -59,7 +59,7 @@ $Menus[''+'_view_menu'].showIcon = true; - $Menus[''+'_view_menu'].addItem(rs('.columns'),'','javascript:openSelector("", "")'); + $Menus[''+'_view_menu'].addItem(rs('.columns'),'','javascript:openSelector("", "")'); @@ -69,11 +69,11 @@ $Menus[''+'_view_menu'].addItem(rs('.filters'), '', 'javascript:void()', null, true, null, rs('.filter.menu'), null); - + $Menus[''+'_view_menu'].addItem(rs('.perpage'), '', 'javascript:void()', null, true, null, rs('.perpage.menu'), null); - + $MenuNames[''+'_view_menu'] = ''; Application.processHooks(':OnCreateViewMenu'); Index: branches/5.2.x/core/units/helpers/permissions_helper.php =================================================================== diff -u -N -r15761 -r15856 --- branches/5.2.x/core/units/helpers/permissions_helper.php (.../permissions_helper.php) (revision 15761) +++ branches/5.2.x/core/units/helpers/permissions_helper.php (.../permissions_helper.php) (revision 15856) @@ -1,6 +1,6 @@ SetRedirectParam('m_cat_id', 0); // category means nothing on admin login screen - $event->SetRedirectParam('next_template', urlencode('external:' . $_SERVER['REQUEST_URI'])); + $event->SetRedirectParam('next_template', kUtil::escape('external:' . $_SERVER['REQUEST_URI'], kUtil::ESCAPE_URL)); } else { $event->SetRedirectParam('next_template', $this->Application->GetVar('t')); @@ -500,7 +500,7 @@ // TODO: $next_t variable is ignored !!! (is anyone using m_RequireLogin tag with "next_template" parameter?) $redirect_params = Array ( 'm_cat_id' => 0, // category means nothing on admin login screen - 'next_template' => urlencode('external:' . $_SERVER['REQUEST_URI']), + 'next_template' => kUtil::escape('external:' . $_SERVER['REQUEST_URI'], kUtil::ESCAPE_URL), ); } else { Index: branches/5.2.x/core/units/forms/form_submissions/form_submissions_eh.php =================================================================== diff -u -N -r15608 -r15856 --- branches/5.2.x/core/units/forms/form_submissions/form_submissions_eh.php (.../form_submissions_eh.php) (revision 15608) +++ branches/5.2.x/core/units/forms/form_submissions/form_submissions_eh.php (.../form_submissions_eh.php) (revision 15856) @@ -1,6 +1,6 @@ Application->recallObject('theme.current'); /* @var $theme kDBItem */ - $template = htmlspecialchars_decode($this->Application->GetVar('success_template')); // kHTTPQuery do htmlspecialchars on everything + $template = htmlspecialchars_decode($this->Application->GetVar('success_template')); // kHTTPQuery do kUtil::escape() on everything on Front-End $alias_template = $theme->GetField('TemplateAliases', $template); $event->redirect = $alias_template ? $alias_template : $template; Index: branches/5.2.x/core/units/fck/fck_eh.php =================================================================== diff -u -N -r15601 -r15856 --- branches/5.2.x/core/units/fck/fck_eh.php (.../fck_eh.php) (revision 15601) +++ branches/5.2.x/core/units/fck/fck_eh.php (.../fck_eh.php) (revision 15856) @@ -1,6 +1,6 @@ Application->HREF($template, '_FRONT_END_', array('pass' => 'm'), 'index.php'); - $res .= '' . "\n"; + $res .= '' . "\n"; } $res.= ""; Index: branches/5.2.x/core/kernel/utility/temp_handler.php =================================================================== diff -u -N -r15554 -r15856 --- branches/5.2.x/core/kernel/utility/temp_handler.php (.../temp_handler.php) (revision 15554) +++ branches/5.2.x/core/kernel/utility/temp_handler.php (.../temp_handler.php) (revision 15856) @@ -1,6 +1,6 @@ MasterEvent = $this->parentEvent; - + if ( isset($foreign_key) ) { $event->setEventParam('foreign_key', $foreign_key); } @@ -1043,7 +1043,7 @@ $users = $this->Conn->GetCol($sql); if ($users) { - $this->Application->SetVar('_simultanious_edit_message', + $this->Application->SetVar('_simultaneous_edit_message', sprintf($this->Application->Phrase('la_record_being_edited_by'), join(",\n", $users)) ); Index: branches/5.2.x/core/kernel/utility/debugger.php =================================================================== diff -u -N -r15740 -r15856 --- branches/5.2.x/core/kernel/utility/debugger.php (.../debugger.php) (revision 15740) +++ branches/5.2.x/core/kernel/utility/debugger.php (.../debugger.php) (revision 15856) @@ -1,6 +1,6 @@ no value'; } else { - $value = htmlspecialchars($this->print_r($value, true), null, 'UTF-8'); + $value = htmlspecialchars($this->print_r($value, true), ENT_QUOTES, 'UTF-8'); } echo '' . $prefix . '' . $key . '' . $value . ''; Index: branches/5.2.x/core/kernel/managers/plain_url_processor.php =================================================================== diff -u -N -r15389 -r15856 --- branches/5.2.x/core/kernel/managers/plain_url_processor.php (.../plain_url_processor.php) (revision 15389) +++ branches/5.2.x/core/kernel/managers/plain_url_processor.php (.../plain_url_processor.php) (revision 15856) @@ -1,6 +1,6 @@ Application->ConfigValue('GoogleMapsURL').'output=xml&key='. - $this->Application->ConfigValue('GoogleMapsKey').'&q='.urlencode($qaddress); + $this->Application->ConfigValue('GoogleMapsKey').'&q='.kUtil::escape($qaddress, kUtil::ESCAPE_URL); $curl_helper = $this->Application->recallObject('CurlHelper'); /* @var $curl_helper kCurlHelper */ Index: branches/5.2.x/core/kernel/nparser/nparser.php =================================================================== diff -u -N -r15783 -r15856 --- branches/5.2.x/core/kernel/nparser/nparser.php (.../nparser.php) (revision 15783) +++ branches/5.2.x/core/kernel/nparser/nparser.php (.../nparser.php) (revision 15856) @@ -1,6 +1,6 @@ +
%s Index: branches/5.2.x/core/units/helpers/curl_helper.php =================================================================== diff -u -N -r15514 -r15856 --- branches/5.2.x/core/units/helpers/curl_helper.php (.../curl_helper.php) (revision 15514) +++ branches/5.2.x/core/units/helpers/curl_helper.php (.../curl_helper.php) (revision 15856) @@ -1,6 +1,6 @@ Application->HttpQuery->_transformArrays($data); foreach ($data as $key => $value) { - $params_str .= $key . '=' . urlencode($value) . '&'; + $params_str .= $key . '=' . kUtil::escape($value, kUtil::ESCAPE_URL) . '&'; } $data = $params_str; Index: branches/5.2.x/core/kernel/managers/rewrite_url_processor.php =================================================================== diff -u -N -r15805 -r15856 --- branches/5.2.x/core/kernel/managers/rewrite_url_processor.php (.../rewrite_url_processor.php) (revision 15805) +++ branches/5.2.x/core/kernel/managers/rewrite_url_processor.php (.../rewrite_url_processor.php) (revision 15856) @@ -1,6 +1,6 @@ Application->isAdmin && isset($options['allow_html']) && $options['allow_html'] ) { - // this allows to revert htmlspecialchars call for each field submitted on front-end + // this allows to revert kUtil::escape() call for each field submitted on Front-End $value = htmlspecialchars_decode($value); } Index: branches/5.2.x/core/kernel/utility/formatters/upload_formatter.php =================================================================== diff -u -N -r15788 -r15856 --- branches/5.2.x/core/kernel/utility/formatters/upload_formatter.php (.../upload_formatter.php) (revision 15788) +++ branches/5.2.x/core/kernel/utility/formatters/upload_formatter.php (.../upload_formatter.php) (revision 15856) @@ -1,6 +1,6 @@ Application->isAdmin ) { - // this allows to revert htmlspecialchars call for each field submitted on front-end + // this allows to revert kUtil::escape() call for each field submitted on front-end $value = is_array($value) ? array_map('htmlspecialchars_decode', $value) : htmlspecialchars_decode($value); } @@ -487,7 +487,7 @@ $url_params = Array ( 'no_amp' => 1, 'pass' => 'm,'.$object->Prefix, $object->Prefix . '_event' => 'OnViewFile', - 'file' => rawurlencode($value), 'field' => $field_name + 'file' => kUtil::escape($value, kUtil::ESCAPE_URL), 'field' => $field_name ); return $this->Application->HREF('', '', $url_params); Index: branches/5.2.x/core/kernel/application.php =================================================================== diff -u -N -r15727 -r15856 --- branches/5.2.x/core/kernel/application.php (.../application.php) (revision 15727) +++ branches/5.2.x/core/kernel/application.php (.../application.php) (revision 15856) @@ -1,6 +1,6 @@ isAdmin ? '' : '?next_template=' . urlencode($_SERVER['REQUEST_URI']); + $query_string = ''; // $this->isAdmin ? '' : '?next_template=' . kUtil::escape($_SERVER['REQUEST_URI'], kUtil::ESCAPE_URL); if ( file_exists(FULL_PATH . $maintenance_page) ) { header('Location: ' . BASE_PATH . $maintenance_page . $query_string); @@ -1023,7 +1023,7 @@ $redirect_params = Array (); if ( !$this->isAdmin ) { - $redirect_params['next_template'] = urlencode($_SERVER['REQUEST_URI']); + $redirect_params['next_template'] = kUtil::escape($_SERVER['REQUEST_URI'], kUtil::ESCAPE_URL); } $this->Redirect($maintenance_template, $redirect_params); Index: branches/5.2.x/core/units/categories/categories_tag_processor.php =================================================================== diff -u -N -r15734 -r15856 --- branches/5.2.x/core/units/categories/categories_tag_processor.php (.../categories_tag_processor.php) (revision 15734) +++ branches/5.2.x/core/units/categories/categories_tag_processor.php (.../categories_tag_processor.php) (revision 15856) @@ -1,6 +1,6 @@ Application->recallObject('CurlHelper'); /* @var $curl_helper kCurlHelper */ - $xml_data = $curl_helper->Send( $url . urlencode($keywords) ); + $xml_data = $curl_helper->Send( $url . kUtil::escape($keywords, kUtil::ESCAPE_URL) ); $xml_helper = $this->Application->recallObject('kXMLHelper'); /* @var $xml_helper kXMLHelper */ @@ -1461,8 +1461,9 @@ 'editingMode' => (int)EDITING_MODE, ); + $site_name = strip_tags($this->Application->ConfigValue('Site_Name')); $ret .= "var aTemplateManager = new TemplateManager(" . json_encode($class_params) . ");\n"; - $ret .= "var main_title = '" . addslashes( $this->Application->ConfigValue('Site_Name') ) . "';" . "\n"; + $ret .= "var main_title = '" . kUtil::escape($site_name, kUtil::ESCAPE_JS) . "';" . "\n"; $use_popups = (int)$this->Application->ConfigValue('UsePopups'); $ret .= "var \$use_popups = " . ($use_popups > 0 ? 'true' : 'false') . ";\n"; @@ -1479,8 +1480,10 @@ $browse_url = $this->Application->HREF('catalog/catalog', ADMIN_DIRECTORY, $url_params, 'index.php'); $browse_url = preg_replace('/&(admin|editing_mode)=[\d]/', '', $browse_url); + $admin_title = strip_tags($this->Application->Phrase('la_AdministrativeConsole', false)); + $ret .= ' - set_window_title(document.title + \' - ' . addslashes($this->Application->Phrase('la_AdministrativeConsole', false)) . '\'); + set_window_title(document.title + \' - ' . kUtil::escape($admin_title, kUtil::ESCAPE_JS) . '\'); t = \'' . $this->Application->GetVar('t') . '\'; @@ -1708,7 +1711,7 @@ { $phrase = $this->Application->Phrase($title, false, true); - return $tabs . 'a_toolbar.AddButton( new ToolBarButton("' . $name . '", "' . htmlspecialchars($phrase, null, CHARSET) . '") );'; + return $tabs . 'a_toolbar.AddButton( new ToolBarButton("' . $name . '", "' . kUtil::escape($phrase, kUtil::ESCAPE_HTML . '+' . kUtil::ESCAPE_JS) . '") );'; } function _getThemeFileId() Index: branches/5.2.x/core/units/helpers/deployment_helper.php =================================================================== diff -u -N -r15728 -r15856 --- branches/5.2.x/core/units/helpers/deployment_helper.php (.../deployment_helper.php) (revision 15728) +++ branches/5.2.x/core/units/helpers/deployment_helper.php (.../deployment_helper.php) (revision 15856) @@ -1,6 +1,6 @@ isCommandLine ) { - echo htmlspecialchars($this->_runShellScript()); + echo kUtil::escape($this->_runShellScript()); echo '' . PHP_EOL; } @@ -499,7 +499,8 @@ } elseif ( $sql ) { $this->toLog($sql . ' ... ', false); - echo mb_substr(trim(preg_replace('/(\n|\t| )+/is', ' ', ($this->isCommandLine ? $sql : htmlspecialchars($sql, null, CHARSET)))), 0, self::SQL_TRIM_LENGTH) . ' ... '; + $escaped_sql = $this->isCommandLine ? $sql : kUtil::escape($sql); + echo mb_substr(trim(preg_replace('/(\n|\t| )+/is', ' ', $escaped_sql)), 0, self::SQL_TRIM_LENGTH) . ' ... '; $this->Conn->Query($sql); @@ -640,26 +641,10 @@ $html_color = $html_color_map[$color][$bold ? 'bold' : 'normal']; - return '' . htmlspecialchars($text, null, CHARSET) . ''; + return '' . kUtil::escape($text, kUtil::ESCAPE_HTML) . ''; } /** - * Makes given text bold - * - * @param string $text - * @return string - * @access private - */ - private function boldText($text) - { - if ( $this->isCommandLine ) { - return "\033[1m" . $text . "\033[0m"; - } - - return '' . htmlspecialchars($text, null, CHARSET) . ''; - } - - /** * Displays last command execution status * * @param string $status_text @@ -688,7 +673,7 @@ private function out($text, $new_line = false) { if ( !$this->isCommandLine ) { - $text = htmlspecialchars($text, null, CHARSET); + $text = kUtil::escape($text); } echo $text . ($new_line ? PHP_EOL : ''); Index: branches/5.2.x/core/units/helpers/xml_helper.php =================================================================== diff -u -N -r15601 -r15856 --- branches/5.2.x/core/units/helpers/xml_helper.php (.../xml_helper.php) (revision 15601) +++ branches/5.2.x/core/units/helpers/xml_helper.php (.../xml_helper.php) (revision 15856) @@ -1,6 +1,6 @@ OriginalAttributes as $name => $value) { - $att_contents[] = $name.'="'.htmlspecialchars($value, null, CHARSET).'"'; + $att_contents[] = $name.'="'.kUtil::escape($value, kUtil::ESCAPE_HTML).'"'; } $xml .= implode(' ', $att_contents); } Index: branches/5.2.x/core/admin_templates/logs/change_logs/change_log_edit.tpl =================================================================== diff -u -N -r14726 -r15856 --- branches/5.2.x/core/admin_templates/logs/change_logs/change_log_edit.tpl (.../change_log_edit.tpl) (revision 14726) +++ branches/5.2.x/core/admin_templates/logs/change_logs/change_log_edit.tpl (.../change_log_edit.tpl) (revision 15856) @@ -73,9 +73,9 @@ - + - + Index: branches/5.2.x/core/units/helpers/controls/minput_helper.php =================================================================== diff -u -N -r15601 -r15856 --- branches/5.2.x/core/units/helpers/controls/minput_helper.php (.../minput_helper.php) (revision 15601) +++ branches/5.2.x/core/units/helpers/controls/minput_helper.php (.../minput_helper.php) (revision 15856) @@ -1,6 +1,6 @@ ' . htmlspecialchars($field_value, null, CHARSET) . ''; + $xml .= '' . kUtil::escape($field_value, kUtil::ESCAPE_HTML) . ''; } $xml .= ''; } Index: branches/5.2.x/core/kernel/db/db_event_handler.php =================================================================== diff -u -N -r15812 -r15856 --- branches/5.2.x/core/kernel/db/db_event_handler.php (.../db_event_handler.php) (revision 15812) +++ branches/5.2.x/core/kernel/db/db_event_handler.php (.../db_event_handler.php) (revision 15856) @@ -1,6 +1,6 @@ 0, - 'next_template' => urlencode('external:' . $_SERVER['REQUEST_URI']), + 'next_template' => kUtil::escape('external:' . $_SERVER['REQUEST_URI'], kUtil::ESCAPE_URL), ); } else { @@ -1835,10 +1835,10 @@ $event->SetRedirectParam($event->getPrefixSpecial() . '_id', array_shift($ids)); $event->SetRedirectParam('pass', 'all,' . $event->getPrefixSpecial()); - $simultaneous_edit_message = $this->Application->GetVar('_simultanious_edit_message'); + $simultaneous_edit_message = $this->Application->GetVar('_simultaneous_edit_message'); if ( $simultaneous_edit_message ) { - $event->SetRedirectParam('_simultanious_edit_message', urlencode($simultaneous_edit_message)); + $event->SetRedirectParam('_simultaneous_edit_message', kUtil::escape($simultaneous_edit_message, kUtil::ESCAPE_URL)); } } @@ -3517,7 +3517,7 @@ echo ''; foreach ($data as $item) { - echo '' . htmlspecialchars($item, null, CHARSET) . ''; + echo '' . kUtil::escape($item, kUtil::ESCAPE_HTML) . ''; } echo '';