mirror of
https://github.com/alchemy-fr/Phraseanet.git
synced 2025-10-23 18:03:17 +00:00
PHRAS-2276 port to 4.1 template escape (#2819)
* fix escape lightbox * fix escape in admin connected-user * fix prod escaping * fix escaping in thesaurus * escape when rendered * escape in controller
This commit is contained in:
@@ -90,35 +90,44 @@ class RecordController extends Controller
|
|||||||
}
|
}
|
||||||
$recordCaptions["technicalInfo"] = $record->getPositionFromTechnicalInfos();
|
$recordCaptions["technicalInfo"] = $record->getPositionFromTechnicalInfos();
|
||||||
|
|
||||||
|
// escape record title before rendering
|
||||||
|
$recordTitle = explode("</span>", $record->get_title());
|
||||||
|
if (count($recordTitle) >1) {
|
||||||
|
$recordTitle[1] = htmlspecialchars($recordTitle[1]);
|
||||||
|
$recordTitle = implode("</span>", $recordTitle);
|
||||||
|
} else {
|
||||||
|
$recordTitle = htmlspecialchars($record->get_title());
|
||||||
|
}
|
||||||
|
|
||||||
return $this->app->json([
|
return $this->app->json([
|
||||||
"desc" => $this->render('prod/preview/caption.html.twig', [
|
"desc" => $this->render('prod/preview/caption.html.twig', [
|
||||||
'record' => $record,
|
'record' => $record,
|
||||||
'highlight' => $query,
|
'highlight' => $query,
|
||||||
'searchEngine' => $searchEngine,
|
'searchEngine' => $searchEngine,
|
||||||
'searchOptions' => $options,
|
'searchOptions' => $options,
|
||||||
]),
|
]),
|
||||||
"recordCaptions"=> $recordCaptions,
|
"recordCaptions" => $recordCaptions,
|
||||||
"html_preview" => $this->render('common/preview.html.twig', [
|
"html_preview" => $this->render('common/preview.html.twig', [
|
||||||
'record' => $record
|
'record' => $record
|
||||||
]),
|
]),
|
||||||
"others" => $this->render('prod/preview/appears_in.html.twig', [
|
"others" => $this->render('prod/preview/appears_in.html.twig', [
|
||||||
'parents' => $record->get_grouping_parents(),
|
'parents' => $record->get_grouping_parents(),
|
||||||
'baskets' => $record->get_container_baskets($this->getEntityManager(), $this->getAuthenticatedUser()),
|
'baskets' => $record->get_container_baskets($this->getEntityManager(), $this->getAuthenticatedUser()),
|
||||||
]),
|
]),
|
||||||
"current" => $train,
|
"current" => $train,
|
||||||
"record" => $currentRecord,
|
"record" => $currentRecord,
|
||||||
"history" => $this->render('prod/preview/short_history.html.twig', [
|
"history" => $this->render('prod/preview/short_history.html.twig', [
|
||||||
'record' => $record,
|
'record' => $record,
|
||||||
]),
|
]),
|
||||||
"popularity" => $this->render('prod/preview/popularity.html.twig', [
|
"popularity" => $this->render('prod/preview/popularity.html.twig', [
|
||||||
'record' => $record,
|
'record' => $record,
|
||||||
]),
|
]),
|
||||||
"tools" => $this->render('prod/preview/tools.html.twig', [
|
"tools" => $this->render('prod/preview/tools.html.twig', [
|
||||||
'record' => $record,
|
'record' => $record,
|
||||||
]),
|
]),
|
||||||
"pos" => $record->getNumber(),
|
"pos" => $record->getNumber(),
|
||||||
"title" => $record->get_title(),
|
"title" => $recordTitle,
|
||||||
"databox_name" => $record->getDatabox()->get_dbname(),
|
"databox_name" => $record->getDatabox()->get_dbname(),
|
||||||
"collection_name" => $record->getCollection()->get_name(),
|
"collection_name" => $record->getCollection()->get_name(),
|
||||||
"collection_logo" => $record->getCollection()->getLogo($record->getBaseId(), $this->app),
|
"collection_logo" => $record->getCollection()->getLogo($record->getBaseId(), $this->app),
|
||||||
]);
|
]);
|
||||||
|
@@ -806,7 +806,7 @@ class ThesaurusController extends Controller
|
|||||||
if (!$t) {
|
if (!$t) {
|
||||||
$t = "...";
|
$t = "...";
|
||||||
}
|
}
|
||||||
$fullBranch = " / " . $t . $fullBranch;
|
$fullBranch = " / " . htmlspecialchars($t) . $fullBranch;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
$nodes = $xpathstruct->query("/record/description/*");
|
$nodes = $xpathstruct->query("/record/description/*");
|
||||||
@@ -1159,7 +1159,7 @@ class ThesaurusController extends Controller
|
|||||||
'1',
|
'1',
|
||||||
null
|
null
|
||||||
);
|
);
|
||||||
$fullpath = $dom->getElementsByTagName("fullpath_html")->item(0)->firstChild->nodeValue;
|
$fullpathHtml = $dom->getElementsByTagName("fullpath_html")->item(0)->firstChild->nodeValue;
|
||||||
$hits = $dom->getElementsByTagName("allhits")->item(0)->firstChild->nodeValue;
|
$hits = $dom->getElementsByTagName("allhits")->item(0)->firstChild->nodeValue;
|
||||||
|
|
||||||
$languages = $synonyms = [];
|
$languages = $synonyms = [];
|
||||||
@@ -1180,6 +1180,16 @@ class ThesaurusController extends Controller
|
|||||||
$languages[$lng_code[0]] = $language;
|
$languages[$lng_code[0]] = $language;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Escape path between span tag in fullpath_html
|
||||||
|
preg_match_all("'(<[^><]*>)(.*?)(<[^><]*>)'", $fullpathHtml, $matches, PREG_SET_ORDER);
|
||||||
|
|
||||||
|
$safeFullpath = '';
|
||||||
|
foreach($matches as $match) {
|
||||||
|
unset($match[0]); // full match result not used
|
||||||
|
$match[2] = htmlspecialchars($match[2]);
|
||||||
|
$safeFullpath .= implode('', $match);
|
||||||
|
}
|
||||||
|
|
||||||
return $this->render('thesaurus/properties.html.twig', [
|
return $this->render('thesaurus/properties.html.twig', [
|
||||||
'typ' => $request->get('typ'),
|
'typ' => $request->get('typ'),
|
||||||
'bid' => $request->get('bid'),
|
'bid' => $request->get('bid'),
|
||||||
@@ -1187,7 +1197,7 @@ class ThesaurusController extends Controller
|
|||||||
'id' => $request->get('id'),
|
'id' => $request->get('id'),
|
||||||
'dlg' => $request->get('dlg'),
|
'dlg' => $request->get('dlg'),
|
||||||
'languages' => $languages,
|
'languages' => $languages,
|
||||||
'fullpath' => $fullpath,
|
'fullpath' => $safeFullpath,
|
||||||
'hits' => $hits,
|
'hits' => $hits,
|
||||||
'synonyms' => $synonyms,
|
'synonyms' => $synonyms,
|
||||||
]);
|
]);
|
||||||
|
@@ -94,7 +94,7 @@
|
|||||||
<tbody>
|
<tbody>
|
||||||
{% for session in data['sessions'] %}
|
{% for session in data['sessions'] %}
|
||||||
{% set row = session['session'] %}
|
{% set row = session['session'] %}
|
||||||
<tr title="{{ _self.tooltip_connected_users(row) | raw }}" class="{% if loop.index is odd %}odd{% else %}even{% endif %} usrTips" id="TREXP_{{ row.getId()}}">
|
<tr title="{{ _self.tooltip_connected_users(row) | e }}" class="{% if loop.index is odd %}odd{% else %}even{% endif %} usrTips" id="TREXP_{{ row.getId()}}">
|
||||||
|
|
||||||
{% if row.getId() == app['session'].get('session_id') %}
|
{% if row.getId() == app['session'].get('session_id') %}
|
||||||
<td style="color:#ff0000"><i>{{ row.getUser().getDisplayName() }}</i></td>
|
<td style="color:#ff0000"><i>{{ row.getUser().getDisplayName() }}</i></td>
|
||||||
|
@@ -51,7 +51,7 @@
|
|||||||
<tr>
|
<tr>
|
||||||
<td>
|
<td>
|
||||||
<h2 class="title15">
|
<h2 class="title15">
|
||||||
{{basket.getName()|raw}}
|
{{basket.getName()|e}}
|
||||||
</h2>
|
</h2>
|
||||||
{% if basket.getValidation().isFinished() %}
|
{% if basket.getValidation().isFinished() %}
|
||||||
{{ '(validation) session terminee' | trans }}
|
{{ '(validation) session terminee' | trans }}
|
||||||
@@ -116,7 +116,7 @@
|
|||||||
<tr>
|
<tr>
|
||||||
<td>
|
<td>
|
||||||
<h2 class="title15">
|
<h2 class="title15">
|
||||||
{{ basket.getName()|raw}}
|
{{ basket.getName()|e}}
|
||||||
</h2>
|
</h2>
|
||||||
</td>
|
</td>
|
||||||
<td class="right">
|
<td class="right">
|
||||||
|
@@ -19,7 +19,7 @@
|
|||||||
<img src='/assets/common/images/icons/basket_push_unread.png' title=''/>
|
<img src='/assets/common/images/icons/basket_push_unread.png' title=''/>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
<img src='/assets/common/images/icons/basket.png' title=''/>
|
<img src='/assets/common/images/icons/basket.png' title=''/>
|
||||||
{{basket.getName()}}
|
{{basket.getName()|e}}
|
||||||
</span>
|
</span>
|
||||||
</a>
|
</a>
|
||||||
<div class="menu">
|
<div class="menu">
|
||||||
@@ -99,7 +99,7 @@
|
|||||||
{% else %}
|
{% else %}
|
||||||
<img src='/assets/common/images/icons/basket.png' title=''/>
|
<img src='/assets/common/images/icons/basket.png' title=''/>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{{basket.getName()}}
|
{{basket.getName()|e}}
|
||||||
</span>
|
</span>
|
||||||
</a>
|
</a>
|
||||||
<div class="menu">
|
<div class="menu">
|
||||||
|
@@ -12,17 +12,17 @@
|
|||||||
<table>
|
<table>
|
||||||
<tr>
|
<tr>
|
||||||
<td>
|
<td>
|
||||||
<span class="name"><%= item.display_name %></span>
|
<span class="name"><%= htmlEncode(item.display_name) %></span>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td>
|
<td>
|
||||||
<span class="email"><i><%= item.email %></i></span>
|
<span class="email"><i><%= htmlEncode(item.email) %></i></span>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td>
|
<td>
|
||||||
<span class="subtite"><%= item.subtitle || '' %></span>
|
<span class="subtite"><%= htmlEncode(item.subtitle) || '' %></span>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
</table>
|
</table>
|
||||||
@@ -47,7 +47,7 @@
|
|||||||
<table>
|
<table>
|
||||||
<tr>
|
<tr>
|
||||||
<td>
|
<td>
|
||||||
<span class="name"><%= item.name %></span>
|
<span class="name"><%= htmlEncode(item.name) %></span>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
@@ -81,12 +81,12 @@
|
|||||||
<table>
|
<table>
|
||||||
<tr>
|
<tr>
|
||||||
<td colspan="3">
|
<td colspan="3">
|
||||||
<span class="name"><%= user.display_name %></span>
|
<span class="name"><%= htmlEncode(user.display_name) %></span>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td colspan="3">
|
<td colspan="3">
|
||||||
<span class="subtite"><%= user.subtitle || '' %></span>
|
<span class="subtite"><%= htmlEncode(user.subtitle) || '' %></span>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr class="toggles">
|
<tr class="toggles">
|
||||||
@@ -201,12 +201,12 @@
|
|||||||
<table>
|
<table>
|
||||||
<tr>
|
<tr>
|
||||||
<td colspan="3">
|
<td colspan="3">
|
||||||
<span class="name"><%= user.display_name %></span>
|
<span class="name"><%= htmlEncode(user.display_name) %></span>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td colspan="3">
|
<td colspan="3">
|
||||||
<span class="subtite"><%= user.subtitle || '' %></span>
|
<span class="subtite"><%= htmlEncode(user.subtitle) || '' %></span>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr class="toggles">
|
<tr class="toggles">
|
||||||
@@ -242,12 +242,12 @@
|
|||||||
<table>
|
<table>
|
||||||
<tr>
|
<tr>
|
||||||
<td colspan="3">
|
<td colspan="3">
|
||||||
<span class="name"><%= user.display_name %></span>
|
<span class="name"><%= htmlEncode(user.display_name) %></span>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td colspan="3">
|
<td colspan="3">
|
||||||
<span class="subtite"><%= user.subtitle || '' %></span>
|
<span class="subtite"><%= htmlEncode(user.subtitle) || '' %></span>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr class="toggles">
|
<tr class="toggles">
|
||||||
@@ -267,3 +267,22 @@
|
|||||||
</div>
|
</div>
|
||||||
</script>
|
</script>
|
||||||
|
|
||||||
|
<script>
|
||||||
|
function htmlEncode(str) {
|
||||||
|
return str.replace(/[&"'<>]/g, function(c){
|
||||||
|
switch (c)
|
||||||
|
{
|
||||||
|
case "&":
|
||||||
|
return "&";
|
||||||
|
case "'":
|
||||||
|
return "'";
|
||||||
|
case '"':
|
||||||
|
return """;
|
||||||
|
case "<":
|
||||||
|
return "<";
|
||||||
|
case ">":
|
||||||
|
return ">";
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
</script>
|
||||||
|
@@ -16,11 +16,11 @@
|
|||||||
|
|
||||||
{% if context %}
|
{% if context %}
|
||||||
{% set zterm %}
|
{% set zterm %}
|
||||||
{% trans with {'%term%' : term, '%context%' : context} %}thesaurus:: le terme %term% avec contexte %context%{% endtrans %}
|
{% trans with {'%term%' : term | e, '%context%' : context | e} %}thesaurus:: le terme %term% avec contexte %context%{% endtrans %}
|
||||||
{% endset %}
|
{% endset %}
|
||||||
{% else %}
|
{% else %}
|
||||||
{% set zterm %}
|
{% set zterm %}
|
||||||
{% trans with {'%term%' : term} %}thesaurus:: le terme %term% sans contexte{% endtrans %}
|
{% trans with {'%term%' : term | e} %}thesaurus:: le terme %term% sans contexte{% endtrans %}
|
||||||
{% endset %}
|
{% endset %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
@@ -338,6 +338,8 @@
|
|||||||
for(var sy=syl.item(0).firstChild; sy; sy=sy.nextSibling )
|
for(var sy=syl.item(0).firstChild; sy; sy=sy.nextSibling )
|
||||||
{
|
{
|
||||||
var lng = sy.getAttribute("lng");
|
var lng = sy.getAttribute("lng");
|
||||||
|
var v = escapeHtmlDataFromXML(sy.getAttribute("v"));
|
||||||
|
|
||||||
html += "<tr>";
|
html += "<tr>";
|
||||||
if(lng)
|
if(lng)
|
||||||
if(tFlags[lng])
|
if(tFlags[lng])
|
||||||
@@ -347,7 +349,7 @@
|
|||||||
else
|
else
|
||||||
html += "<td><span style='background-color:#cccccc'> ? </span></td>";
|
html += "<td><span style='background-color:#cccccc'> ? </span></td>";
|
||||||
|
|
||||||
html += "<td> "+sy.getAttribute("v")+"</td>";
|
html += "<td> "+ v +"</td>";
|
||||||
|
|
||||||
var hits = 0+sy.getAttribute("hits");
|
var hits = 0+sy.getAttribute("hits");
|
||||||
if(hits == 1)
|
if(hits == 1)
|
||||||
@@ -361,6 +363,12 @@
|
|||||||
return(html);
|
return(html);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Let the browser to do it
|
||||||
|
function escapeHtmlDataFromXML(data){
|
||||||
|
var d = document.createElement('div');
|
||||||
|
d.appendChild(document.createTextNode(data));
|
||||||
|
return d.innerHTML;
|
||||||
|
}
|
||||||
|
|
||||||
// ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
// ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||||
//
|
//
|
||||||
|
Reference in New Issue
Block a user