diff --git a/lib/documentmanagement/observers.inc.php b/lib/documentmanagement/observers.inc.php
index 8bd8e4e..ef76b1d 100644
--- a/lib/documentmanagement/observers.inc.php
+++ b/lib/documentmanagement/observers.inc.php
@@ -6,7 +6,7 @@
* License Version 1.1.2 ("License"); You may not use this file except in
* compliance with the License. You may obtain a copy of the License at
* http://www.knowledgetree.com/KPL
- *
+ *
* Software distributed under the License is distributed on an "AS IS"
* basis, WITHOUT WARRANTY OF ANY KIND, either express or implied.
* See the License for the specific language governing rights and
@@ -17,9 +17,9 @@
* (ii) the KnowledgeTree copyright notice
* in the same form as they appear in the distribution. See the License for
* requirements.
- *
+ *
* The Original Code is: KnowledgeTree Open Source
- *
+ *
* The Initial Developer of the Original Code is The Jam Warehouse Software
* (Pty) Ltd, trading as KnowledgeTree.
* Portions created by The Jam Warehouse Software (Pty) Ltd are Copyright
@@ -77,7 +77,7 @@ class JavascriptObserver {
printf('', $msg->getString());
return;
}
- printf('', $msg->getString());
+ printf('', htmlentities($msg->getString(),ENT_QUOTES,'UTF-8'));
}
function redirectToDocument($id) {
diff --git a/plugins/rssplugin/KTrss.inc.php b/plugins/rssplugin/KTrss.inc.php
index 1cfb75f..91a352f 100644
--- a/plugins/rssplugin/KTrss.inc.php
+++ b/plugins/rssplugin/KTrss.inc.php
@@ -186,7 +186,7 @@ class KTrss{
if ($aDocumentList) {
foreach($aDocumentList as $documentElement){
$document_id = $documentElement['id'];
- $aDocumentTransactions = array_merge($aDocumentTransactions, KTrss::getDocumentTransactions($document_id));
+ $aDocumentTransactions = kt_array_merge($aDocumentTransactions, KTrss::getDocumentTransactions($document_id));
}
}
if ($aDocumentTransactions){
@@ -220,8 +220,8 @@ class KTrss{
// get information for folder
function getOneFolder($iFolderId){
$aFData = KTrss::getFolderData($iFolderId);
- $aFTransactions = array_merge(KTrss::getChildrenFolderTransactions($iFolderId), KTrss::getFolderTransactions($iFolderId));
- $aFTransactions = array_merge($aFTransactions, KTrss::getChildrenDocumentTransactions($iFolderId));
+ $aFTransactions = kt_array_merge(KTrss::getChildrenFolderTransactions($iFolderId), KTrss::getFolderTransactions($iFolderId));
+ $aFTransactions = kt_array_merge($aFTransactions, KTrss::getChildrenDocumentTransactions($iFolderId));
$code = 'if (strtotime($a[datetime]) == strtotime($b[datetime])){
return 0;
@@ -255,6 +255,17 @@ class KTrss{
}
}
+ function rss_sanitize($str, $do_amp=true)
+ {
+
+ $result = str_replace("\\\"","\"",str_replace('\\\'','\'',htmlentities($str,ENT_NOQUOTES, 'UTF-8')));
+ if ($do_amp)
+ {
+ $result = str_replace('&','&',$result);
+ }
+ return $result;
+ }
+
// Takes in an array as a parameter and returns rss2.0 compatible xml
function arrayToXML($aItems){
// Build path to host
@@ -282,7 +293,7 @@ class KTrss{
$sTypeSelect = 'document.transactionhistory&fDocumentId';
}
$feed .= "\n" .
- "".htmlentities($aItems[0][0][name],ENT_QUOTES, 'UTF-8')."\n" .
+ "".KTrss::rss_sanitize($aItems[0][0][name],false)."\n" .
"".$hostPath."action.php?kt_path_info=ktcore.actions.".$sTypeSelect."=".$aItems[0][0]['id']."\n" .
"\n" .
"<table border='0' width='90%'>\n".
@@ -298,7 +309,7 @@ class KTrss{
"<hr>\n".
"<table width='95%'>\n".
"<tr>\n".
- "<td>Filename: ".str_replace('&','&',htmlentities($aItems[0][0][filename],ENT_QUOTES, 'UTF-8'))."</td>\n".
+ "<td>Filename: ".KTrss::rss_sanitize($aItems[0][0][filename] )."</td>\n".
"<td>\n".
"</tr>\n".
"<tr>\n".
@@ -326,11 +337,11 @@ class KTrss{
foreach($aItems[1] as $item){
$feed .= "<tr>\n".
"<td>".$item[type]." name:</td>\n".
- "<td>".str_replace('&','&',htmlentities($item[name],ENT_QUOTES, 'UTF-8'))."</td>\n".
+ "<td>".KTrss::rss_sanitize($item[name] )."</td>\n".
"</tr>\n".
"<tr>\n".
"<td>Path:</td>\n".
- "<td>".str_replace('&','&',htmlentities($item[fullpath],ENT_QUOTES, 'UTF-8'))."</td>\n".
+ "<td>".KTrss::rss_sanitize($item[fullpath] )."</td>\n".
"</tr>\n".
"<tr>\n".
"<td>Transaction:</td>\n".
@@ -338,7 +349,7 @@ class KTrss{
"</tr>\n".
"<tr>\n".
"<td>Comment:</td>\n".
- "<td>".str_replace('&','&',htmlentities($item[comment],ENT_QUOTES, 'UTF-8'))."</td>\n".
+ "<td>".KTrss::rss_sanitize($item[comment] )."</td>\n".
"</tr>\n".
"<tr>\n";if($item[version]){
$feed .= "<td>Version:</td>\n".
diff --git a/plugins/rssplugin/templates/RSSPlugin/dashlet.smarty b/plugins/rssplugin/templates/RSSPlugin/dashlet.smarty
index a68f89c..ba4e0a7 100644
--- a/plugins/rssplugin/templates/RSSPlugin/dashlet.smarty
+++ b/plugins/rssplugin/templates/RSSPlugin/dashlet.smarty
@@ -9,7 +9,7 @@
{/if}
{if $feedlist}
{section name=feed loop=$feedlist}
-
+
{/section}
{/if}
diff --git a/rss.php b/rss.php
index 787bc26..4e8816e 100644
--- a/rss.php
+++ b/rss.php
@@ -1,12 +1,12 @@
'id',));
$id = $user[$_SERVER['PHP_AUTH_USER']]['id'];
-
-
+
+
if(KTUtil::arrayGet($_REQUEST, 'docId')){ // if a docId parameter is passed
// get document id from http request object
$iDocumentId = KTUtil::arrayGet($_REQUEST, 'docId');
-
+
if(KTrss::validateDocumentPermissions($id, $iDocumentId)){ // if document passes validation check
// get document info
$aDocumentInfo[] = KTrss::getOneDocument($iDocumentId, $id);
-
- if($aDocumentInfo){
+
+ if($aDocumentInfo){
// create rss xml for document
$documentFeed = KTrss::arrayToXML($aDocumentInfo);
}else{
// create rss xml for the error
$error = KTrss::errorToXML(_kt('This document has returned a empty response'));
- }
+ }
}else{
// create rss xml for error
$error = KTrss::errorToXML(_kt('You are either not authorised to view details on this document or it does not exist.' .
@@ -101,7 +101,7 @@ if (!validateUser($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) {
if(KTrss::validateFolderPermissions($id, $iFolderId)){ // if folder passes validation check
// get folder info
$aFolderInfo[] = KTrss::getOneFolder($iFolderId);
-
+
if($aFolderInfo){
// create rss xml for folder
$folderFeed = KTrss::arrayToXML($aFolderInfo);
@@ -121,7 +121,7 @@ if (!validateUser($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) {
}
}else{ // else do normal rss parsing
// get full list of subscribed documents and folders
- $aFullList = array_merge(KTrss::getDocuments($id), KTrss::getFolders($id));
+ $aFullList = kt_array_merge(KTrss::getDocuments($id), KTrss::getFolders($id));
$internalFeed = KTrss::arrayToXML($aFullList);
echo $internalFeed;
}
diff --git a/templates/kt3/browse.smarty b/templates/kt3/browse.smarty
index fd85648..5df33b7 100644
--- a/templates/kt3/browse.smarty
+++ b/templates/kt3/browse.smarty
@@ -3,7 +3,7 @@
{$context->oPage->requireJSResource('resources/js/toggleselect.js')}
{if ($custom_title != null)}
-
{ if $inherited }
-{i18n arg_permission_source=$inherited}This folder inherits its permissions from #permission_source#.{/i18n}
+{i18n arg_permission_source=$inherited|sanitize}This folder inherits its permissions from #permission_source#.{/i18n}
{if $inheritable}