hazza/Phraseanet
1
0
Fork 0
mirror of https://github.com/alchemy-fr/Phraseanet.git synced 2025-10-23 18:03:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

escape when rendered

Browse Source
This commit is contained in:
aina-esokia
2019-03-29 17:20:04 +04:00
parent 019498b5c4
commit 60c126c7b9
6 changed files with 68 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/Alchemy/Phrasea/Controller/Prod/PushController.php
View File

@@ -597,7 +597,7 @@ class PushController extends Controller
private function formatUser(User $user)
{
$subtitle = array_filter([htmlspecialchars($user->getJob()), htmlspecialchars($user->getCompany())]);
$subtitle = array_filter([$user->getJob(), $user->getCompany()]);
return [
'type' => 'USER',

20
lib/Alchemy/Phrasea/Controller/Thesaurus/ThesaurusController.php
View File

@@ -806,7 +806,7 @@ class ThesaurusController extends Controller
if (!$t) {
$t = "...";
}
$fullBranch = " / " . $t . $fullBranch;
$fullBranch = " / " . htmlspecialchars($t) . $fullBranch;
}
}
$nodes = $xpathstruct->query("/record/description/*");
@@ -1159,7 +1159,7 @@ class ThesaurusController extends Controller
'1',
null
);
$fullpath = $dom->getElementsByTagName("fullpath_html")->item(0)->firstChild->nodeValue;
$fullpathHtml = $dom->getElementsByTagName("fullpath_html")->item(0)->firstChild->nodeValue;
$hits = $dom->getElementsByTagName("allhits")->item(0)->firstChild->nodeValue;
$languages = $synonyms = [];
@@ -1180,6 +1180,16 @@ class ThesaurusController extends Controller
$languages[$lng_code[0]] = $language;
}
// Escape path between span tag in fullpath_html
preg_match_all("'(<[^><]*>)(.*?)(<[^><]*>)'", $fullpathHtml, $matches, PREG_SET_ORDER);
$safeFullpath = '';
foreach($matches as $match) {
unset($match[0]); // full match result not used
$match[2] = htmlspecialchars($match[2]);
$safeFullpath .= implode('', $match);
}
return $this->render('thesaurus/properties.html.twig', [
'typ' => $request->get('typ'),
'bid' => $request->get('bid'),
@@ -1187,7 +1197,7 @@ class ThesaurusController extends Controller
'id' => $request->get('id'),
'dlg' => $request->get('dlg'),
'languages' => $languages,
'fullpath' => $fullpath,
'fullpath' => $safeFullpath,
'hits' => $hits,
'synonyms' => $synonyms,
]);
@@ -2128,7 +2138,7 @@ class ThesaurusController extends Controller
$sy = $sy_list->appendChild($ret->createElement("sy"));
$sy->setAttribute("id", $n->getAttribute("id"));
$sy->setAttribute("v", htmlspecialchars($t = $n->getAttribute("v")));
$sy->setAttribute("v", $t = $n->getAttribute("v"));
$sy->setAttribute("w", $n->getAttribute("w"));
$sy->setAttribute("hits", '');
$sy->setAttribute("lng", $lng = $n->getAttribute("lng"));
@@ -2177,7 +2187,7 @@ class ThesaurusController extends Controller
$firstsy = $goodsy = null;
for ($n2 = $n->firstChild; $n2; $n2 = $n2->nextSibling) {
if ($n2->nodeName == "sy") {
$t = htmlspecialchars($n2->getAttribute("v"));
$t = $n2->getAttribute("v");
if (! $firstsy) {
$firstsy = $t;
}

24
lib/Alchemy/Phrasea/Controller/Thesaurus/ThesaurusXmlHttpController.php
View File

@@ -252,7 +252,7 @@ class ThesaurusXmlHttpController extends Controller
/** @var DOMElement $n2 */
for ($n2 = $n->firstChild; $n2; $n2 = $n2->nextSibling) {
if ($n2->nodeName == "sy") {
$sy = htmlspecialchars($n2->getAttribute("v"));
$sy = $n2->getAttribute("v");
if (!$firstsy) {
$firstsy = $sy;
if ($request->get("debug")) {
@@ -441,7 +441,7 @@ class ThesaurusXmlHttpController extends Controller
for ($n2 = $n->firstChild; $n2; $n2 = $n2->nextSibling) {
if ($n2->nodeName == "sy") {
$lng = $n2->getAttribute("lng");
$t = htmlspecialchars($n2->getAttribute("v"));
$t = $n2->getAttribute("v");
$ksy = $n2->getAttribute("w");
if ($k = $n2->getAttribute("k")) {
$ksy .= " ($k)";
@@ -586,7 +586,7 @@ class ThesaurusXmlHttpController extends Controller
for ($n2 = $n->firstChild; $n2; $n2 = $n2->nextSibling) {
if ($n2->nodeName == "sy") {
$lng = $n2->getAttribute("lng");
$t = htmlspecialchars($n2->getAttribute("v"));
$t = $n2->getAttribute("v");
$ksy = $n2->getAttribute("w");
if ($k = $n2->getAttribute("k")) {
$ksy .= " ($k)";
@@ -843,7 +843,7 @@ class ThesaurusXmlHttpController extends Controller
for ($n2 = $n->firstChild; $n2; $n2 = $n2->nextSibling) {
if ($n2->nodeName == 'sy') {
$lng = $n2->getAttribute('lng');
$t = htmlspecialchars($n2->getAttribute('v'));
$t = $n2->getAttribute('v');
$key = $n2->getAttribute('w'); // key of the current sy
if ($k = $n2->getAttribute('k')) {
$key .= ' (' . $k . ')';
@@ -920,7 +920,7 @@ class ThesaurusXmlHttpController extends Controller
$bid = $request->get('bid');
for ($i = 0; $i < $nodes->length; $i++) {
$n = $nodes->item($i);
$t = htmlspecialchars($n->getAttribute('v'));
$t = $n->getAttribute('v');
$tid = $n->getAttribute('id');
$html .= '<p id=\'TH_T.' . $bid . '.' . $tid . '\'>';
@@ -967,7 +967,7 @@ class ThesaurusXmlHttpController extends Controller
$allsy = '';
for ($n = $srcnode->firstChild; $n; $n = $n->nextSibling) {
if ($n->nodeName == 'sy') {
$t = htmlspecialchars($n->getAttribute('v'));
$t = $n->getAttribute('v');
if ($n->getAttribute('bold')) {
$allsy .= ( $allsy ? ' ; ' : '') . '<b id=\'TH_W.' . $bid . '.' . $n->getAttribute('id') . '\'>' . $t . '</b>';
} else {
@@ -1078,12 +1078,12 @@ class ThesaurusXmlHttpController extends Controller
$ret['result'] = array();
for ($i = 0; $i < $nodes->length; $i++) {
$n = $nodes->item($i);
$t = htmlspecialchars($n->getAttribute('v'));
$t = $n->getAttribute('v');
$tid = $n->getAttribute('id');
$ret['result'][] = array(
'id' => $n->getAttribute('id'),
't' => htmlspecialchars($n->getAttribute('v')),
't' => $n->getAttribute('v'),
);
}
}
@@ -1103,7 +1103,7 @@ class ThesaurusXmlHttpController extends Controller
$allsy = array();
for ($n = $srcnode->firstChild; $n; $n = $n->nextSibling) {
if ($n->nodeName == 'sy') {
$t = htmlspecialchars($n->getAttribute('v'));
$t = $n->getAttribute('v');
$allsy[] = array(
'id' => $n->getAttribute('id'),
't' => $t,
@@ -1190,7 +1190,7 @@ class ThesaurusXmlHttpController extends Controller
} else {
for ($i = 0; $i < $nodes->length; $i++) {
$n = $nodes->item($i);
$t = htmlspecialchars($n->getAttribute('v'));
$t = $n->getAttribute('v');
$tid = $n->getAttribute('id');
$zhtml .= '<p id=\'TH_T.' . $bid . '.' . $tid . '\'>';
@@ -1213,7 +1213,7 @@ class ThesaurusXmlHttpController extends Controller
$allsy = '';
for ($n = $srcnode->firstChild; $n; $n = $n->nextSibling) {
if ($n->nodeName == 'sy') {
$t = htmlspecialchars($n->getAttribute('v'));
$t = $n->getAttribute('v');
if ($n->getAttribute('bold')) {
$allsy .= ( $allsy ? ' ; ' : '') . '<b id=\'GL_W.' . $bid . '.' . $n->getAttribute('id') . '\'>' . $t . '</b>';
} else {
@@ -1611,7 +1611,7 @@ class ThesaurusXmlHttpController extends Controller
if ($n2->nodeName == 'sy') {
$lng = $n2->getAttribute('lng');
$t = htmlspecialchars($n2->getAttribute('v'));
$t = $n2->getAttribute('v');
$key = $n2->getAttribute('w'); // key of the current sy
if ($k = $n2->getAttribute('k')) {

39
templates/web/prod/templates/push.html.twig
View File

@@ -12,17 +12,17 @@
<table>
<tr>
<td>
<span class="name"><%= item.display_name %></span>
<span class="name"><%= htmlEncode(item.display_name) %></span>
</td>
</tr>
<tr>
<td>
<span class="email"><i><%= item.email %></i></span>
<span class="email"><i><%= htmlEncode(item.email) %></i></span>
</td>
</tr>
<tr>
<td>
<span class="subtite"><%= item.subtitle || '' %></span>
<span class="subtite"><%= htmlEncode(item.subtitle) || '' %></span>
</td>
</tr>
</table>
@@ -47,7 +47,7 @@
<table>
<tr>
<td>
<span class="name"><%= item.name %></span>
<span class="name"><%= htmlEncode(item.name) %></span>
</td>
</tr>
<tr>
@@ -81,12 +81,12 @@
<table>
<tr>
<td colspan="3">
<span class="name"><%= user.display_name %></span>
<span class="name"><%= htmlEncode(user.display_name) %></span>
</td>
</tr>
<tr>
<td colspan="3">
<span class="subtite"><%= user.subtitle || '' %></span>
<span class="subtite"><%= htmlEncode(user.subtitle) || '' %></span>
</td>
</tr>
<tr class="toggles">
@@ -201,12 +201,12 @@
<table>
<tr>
<td colspan="3">
<span class="name"><%= user.display_name %></span>
<span class="name"><%= htmlEncode(user.display_name) %></span>
</td>
</tr>
<tr>
<td colspan="3">
<span class="subtite"><%= user.subtitle || '' %></span>
<span class="subtite"><%= htmlEncode(user.subtitle) || '' %></span>
</td>
</tr>
<tr class="toggles">
@@ -242,12 +242,12 @@
<table>
<tr>
<td colspan="3">
<span class="name"><%= user.display_name %></span>
<span class="name"><%= htmlEncode(user.display_name) %></span>
</td>
</tr>
<tr>
<td colspan="3">
<span class="subtite"><%= user.subtitle || '' %></span>
<span class="subtite"><%= htmlEncode(user.subtitle) || '' %></span>
</td>
</tr>
<tr class="toggles">
@@ -267,3 +267,22 @@
</div>
</script>
<script>
function htmlEncode(str) {
return str.replace(/[&"'<>]/g, function(c){
switch (c)
{
case "&":
return "&amp;";
case "'":
return "&#39;";
case '"':
return "&quot;";
case "<":
return "&lt;";
case ">":
return "&gt;";
}
});
}
</script>

4
templates/web/thesaurus/new-term.html.twig
View File

@@ -16,11 +16,11 @@
{% if context %}
{% set zterm %}
{% trans with {'%term%' : term, '%context%' : context} %}thesaurus:: le terme %term% avec contexte %context%{% endtrans %}
{% trans with {'%term%' : term | e, '%context%' : context | e} %}thesaurus:: le terme %term% avec contexte %context%{% endtrans %}
{% endset %}
{% else %}
{% set zterm %}
{% trans with {'%term%' : term} %}thesaurus:: le terme %term% sans contexte{% endtrans %}
{% trans with {'%term%' : term | e} %}thesaurus:: le terme %term% sans contexte{% endtrans %}
{% endset %}
{% endif %}

10
templates/web/thesaurus/thesaurus.html.twig
View File

@@ -338,6 +338,8 @@
for(var sy=syl.item(0).firstChild; sy; sy=sy.nextSibling )
{
var lng = sy.getAttribute("lng");
var v = escapeHtmlDataFromXML(sy.getAttribute("v"));
html += "<tr>";
if(lng)
if(tFlags[lng])
@@ -347,7 +349,7 @@
else
html += "<td><span style='background-color:#cccccc'>&nbsp;?&nbsp;</span></td>";
html += "<td>&nbsp;"+sy.getAttribute("v")+"</td>";
html += "<td>&nbsp;"+ v +"</td>";
var hits = 0+sy.getAttribute("hits");
if(hits == 1)
@@ -361,6 +363,12 @@
return(html);
}
// Let the browser to do it
function escapeHtmlDataFromXML(data){
var d = document.createElement('div');
d.appendChild(document.createTextNode(data));
return d.innerHTML;
}
// ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//