From 9904703840a74597e1c6122109843c198488477c Mon Sep 17 00:00:00 2001 From: kevin_fourie Date: Mon, 23 Jul 2007 16:10:46 +0000 Subject: [PATCH] Merged in from DEV trunk... --- lib/documentmanagement/observers.inc.php | 8 ++++---- plugins/rssplugin/KTrss.inc.php | 27 +++++++++++++++++++-------- plugins/rssplugin/templates/RSSPlugin/dashlet.smarty | 2 +- rss.php | 24 ++++++++++++------------ templates/kt3/browse.smarty | 2 +- templates/kt3/minimal_page.smarty | 6 +++--- templates/kt3/standard_page.smarty | 2 +- templates/ktcore/folder/view_permissions.smarty | 2 +- 8 files changed, 42 insertions(+), 31 deletions(-) diff --git a/lib/documentmanagement/observers.inc.php b/lib/documentmanagement/observers.inc.php index 8bd8e4e..ef76b1d 100644 --- a/lib/documentmanagement/observers.inc.php +++ b/lib/documentmanagement/observers.inc.php @@ -6,7 +6,7 @@ * License Version 1.1.2 ("License"); You may not use this file except in * compliance with the License. You may obtain a copy of the License at * http://www.knowledgetree.com/KPL - * + * * Software distributed under the License is distributed on an "AS IS" * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. * See the License for the specific language governing rights and @@ -17,9 +17,9 @@ * (ii) the KnowledgeTree copyright notice * in the same form as they appear in the distribution. See the License for * requirements. - * + * * The Original Code is: KnowledgeTree Open Source - * + * * The Initial Developer of the Original Code is The Jam Warehouse Software * (Pty) Ltd, trading as KnowledgeTree. * Portions created by The Jam Warehouse Software (Pty) Ltd are Copyright @@ -77,7 +77,7 @@ class JavascriptObserver { printf('', $msg->getString()); return; } - printf('', $msg->getString()); + printf('', htmlentities($msg->getString(),ENT_QUOTES,'UTF-8')); } function redirectToDocument($id) { diff --git a/plugins/rssplugin/KTrss.inc.php b/plugins/rssplugin/KTrss.inc.php index 1cfb75f..91a352f 100644 --- a/plugins/rssplugin/KTrss.inc.php +++ b/plugins/rssplugin/KTrss.inc.php @@ -186,7 +186,7 @@ class KTrss{ if ($aDocumentList) { foreach($aDocumentList as $documentElement){ $document_id = $documentElement['id']; - $aDocumentTransactions = array_merge($aDocumentTransactions, KTrss::getDocumentTransactions($document_id)); + $aDocumentTransactions = kt_array_merge($aDocumentTransactions, KTrss::getDocumentTransactions($document_id)); } } if ($aDocumentTransactions){ @@ -220,8 +220,8 @@ class KTrss{ // get information for folder function getOneFolder($iFolderId){ $aFData = KTrss::getFolderData($iFolderId); - $aFTransactions = array_merge(KTrss::getChildrenFolderTransactions($iFolderId), KTrss::getFolderTransactions($iFolderId)); - $aFTransactions = array_merge($aFTransactions, KTrss::getChildrenDocumentTransactions($iFolderId)); + $aFTransactions = kt_array_merge(KTrss::getChildrenFolderTransactions($iFolderId), KTrss::getFolderTransactions($iFolderId)); + $aFTransactions = kt_array_merge($aFTransactions, KTrss::getChildrenDocumentTransactions($iFolderId)); $code = 'if (strtotime($a[datetime]) == strtotime($b[datetime])){ return 0; @@ -255,6 +255,17 @@ class KTrss{ } } + function rss_sanitize($str, $do_amp=true) + { + + $result = str_replace("\\\"","\"",str_replace('\\\'','\'',htmlentities($str,ENT_NOQUOTES, 'UTF-8'))); + if ($do_amp) + { + $result = str_replace('&','&',$result); + } + return $result; + } + // Takes in an array as a parameter and returns rss2.0 compatible xml function arrayToXML($aItems){ // Build path to host @@ -282,7 +293,7 @@ class KTrss{ $sTypeSelect = 'document.transactionhistory&fDocumentId'; } $feed .= "\n" . - "".htmlentities($aItems[0][0][name],ENT_QUOTES, 'UTF-8')."\n" . + "".KTrss::rss_sanitize($aItems[0][0][name],false)."\n" . "".$hostPath."action.php?kt_path_info=ktcore.actions.".$sTypeSelect."=".$aItems[0][0]['id']."\n" . "\n" . "<table border='0' width='90%'>\n". @@ -298,7 +309,7 @@ class KTrss{ "<hr>\n". "<table width='95%'>\n". "<tr>\n". - "<td>Filename: ".str_replace('&','&',htmlentities($aItems[0][0][filename],ENT_QUOTES, 'UTF-8'))."</td>\n". + "<td>Filename: ".KTrss::rss_sanitize($aItems[0][0][filename] )."</td>\n". "<td>\n". "</tr>\n". "<tr>\n". @@ -326,11 +337,11 @@ class KTrss{ foreach($aItems[1] as $item){ $feed .= "<tr>\n". "<td>".$item[type]." name:</td>\n". - "<td>".str_replace('&','&',htmlentities($item[name],ENT_QUOTES, 'UTF-8'))."</td>\n". + "<td>".KTrss::rss_sanitize($item[name] )."</td>\n". "</tr>\n". "<tr>\n". "<td>Path:</td>\n". - "<td>".str_replace('&','&',htmlentities($item[fullpath],ENT_QUOTES, 'UTF-8'))."</td>\n". + "<td>".KTrss::rss_sanitize($item[fullpath] )."</td>\n". "</tr>\n". "<tr>\n". "<td>Transaction:</td>\n". @@ -338,7 +349,7 @@ class KTrss{ "</tr>\n". "<tr>\n". "<td>Comment:</td>\n". - "<td>".str_replace('&','&',htmlentities($item[comment],ENT_QUOTES, 'UTF-8'))."</td>\n". + "<td>".KTrss::rss_sanitize($item[comment] )."</td>\n". "</tr>\n". "<tr>\n";if($item[version]){ $feed .= "<td>Version:</td>\n". diff --git a/plugins/rssplugin/templates/RSSPlugin/dashlet.smarty b/plugins/rssplugin/templates/RSSPlugin/dashlet.smarty index a68f89c..ba4e0a7 100644 --- a/plugins/rssplugin/templates/RSSPlugin/dashlet.smarty +++ b/plugins/rssplugin/templates/RSSPlugin/dashlet.smarty @@ -9,7 +9,7 @@ {/if} {if $feedlist} {section name=feed loop=$feedlist} - + {/section} {/if} diff --git a/rss.php b/rss.php index 787bc26..4e8816e 100644 --- a/rss.php +++ b/rss.php @@ -1,12 +1,12 @@ 'id',)); $id = $user[$_SERVER['PHP_AUTH_USER']]['id']; - - + + if(KTUtil::arrayGet($_REQUEST, 'docId')){ // if a docId parameter is passed // get document id from http request object $iDocumentId = KTUtil::arrayGet($_REQUEST, 'docId'); - + if(KTrss::validateDocumentPermissions($id, $iDocumentId)){ // if document passes validation check // get document info $aDocumentInfo[] = KTrss::getOneDocument($iDocumentId, $id); - - if($aDocumentInfo){ + + if($aDocumentInfo){ // create rss xml for document $documentFeed = KTrss::arrayToXML($aDocumentInfo); }else{ // create rss xml for the error $error = KTrss::errorToXML(_kt('This document has returned a empty response')); - } + } }else{ // create rss xml for error $error = KTrss::errorToXML(_kt('You are either not authorised to view details on this document or it does not exist.' . @@ -101,7 +101,7 @@ if (!validateUser($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) { if(KTrss::validateFolderPermissions($id, $iFolderId)){ // if folder passes validation check // get folder info $aFolderInfo[] = KTrss::getOneFolder($iFolderId); - + if($aFolderInfo){ // create rss xml for folder $folderFeed = KTrss::arrayToXML($aFolderInfo); @@ -121,7 +121,7 @@ if (!validateUser($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) { } }else{ // else do normal rss parsing // get full list of subscribed documents and folders - $aFullList = array_merge(KTrss::getDocuments($id), KTrss::getFolders($id)); + $aFullList = kt_array_merge(KTrss::getDocuments($id), KTrss::getFolders($id)); $internalFeed = KTrss::arrayToXML($aFullList); echo $internalFeed; } diff --git a/templates/kt3/browse.smarty b/templates/kt3/browse.smarty index fd85648..5df33b7 100644 --- a/templates/kt3/browse.smarty +++ b/templates/kt3/browse.smarty @@ -3,7 +3,7 @@ {$context->oPage->requireJSResource('resources/js/toggleselect.js')} {if ($custom_title != null)} -

{$custom_title}

+

{$custom_title|sanitize}

{/if} diff --git a/templates/kt3/minimal_page.smarty b/templates/kt3/minimal_page.smarty index 70c944f..dc03a91 100644 --- a/templates/kt3/minimal_page.smarty +++ b/templates/kt3/minimal_page.smarty @@ -76,9 +76,9 @@ {i18n}You are here{/i18n}: {if ($page->breadcrumbSection !== false)} {if ($page->breadcrumbSection.url) } - {$page->breadcrumbSection.label} + {$page->breadcrumbSection.label|sanitize} {else} - {$page->breadcrumbSection.label} + {$page->breadcrumbSection.label|sanitize} {/if} {/if} {if (($page->breadcrumbSection !== false) && ($page->breadcrumbs !== false))} @@ -97,7 +97,7 @@ {/foreach} {/if} {if ($page->breadcrumbDetails !== false)} -({$page->breadcrumbDetails}) +({$page->breadcrumbDetails|sanitize}) {/if} diff --git a/templates/kt3/standard_page.smarty b/templates/kt3/standard_page.smarty index 2618c4b..8679663 100644 --- a/templates/kt3/standard_page.smarty +++ b/templates/kt3/standard_page.smarty @@ -142,7 +142,7 @@ {/foreach} {/if} {if ($page->breadcrumbDetails !== false)} - ({$page->breadcrumbDetails}) + ({$page->breadcrumbDetails|sanitize}) {/if} {/if} diff --git a/templates/ktcore/folder/view_permissions.smarty b/templates/ktcore/folder/view_permissions.smarty index 33856cc..fc5ba2d 100644 --- a/templates/ktcore/folder/view_permissions.smarty +++ b/templates/ktcore/folder/view_permissions.smarty @@ -16,7 +16,7 @@ assigned are shown.{/i18n}

{ if $inherited } -{i18n arg_permission_source=$inherited}This folder inherits its permissions from #permission_source#.{/i18n} +{i18n arg_permission_source=$inherited|sanitize}This folder inherits its permissions from #permission_source#.{/i18n} {if $inheritable}