[MediaWiki-CVS] SVN: [95005] trunk/extensions/GPoC/templates

Fri, 19 Aug 2011 08:03:35 -0700 

http://www.mediawiki.org/wiki/Special:Code/MediaWiki/95005

Revision: 95005
Author:   yuvipanda
Date:     2011-08-19 15:03:16 +0000 (Fri, 19 Aug 2011)
Log Message:
-----------
Entity Encoding to fix up XSS attack vector

Modified Paths:
--------------
    trunk/extensions/GPoC/templates/FilterRatingsTemplate.php
    trunk/extensions/GPoC/templates/SelectionTemplate.php

Modified: trunk/extensions/GPoC/templates/FilterRatingsTemplate.php
===================================================================
--- trunk/extensions/GPoC/templates/FilterRatingsTemplate.php   2011-08-19 
15:03:08 UTC (rev 95004)
+++ trunk/extensions/GPoC/templates/FilterRatingsTemplate.php   2011-08-19 
15:03:16 UTC (rev 95005)
@@ -11,11 +11,11 @@
 
 <form method="GET" id="filterForm">
 <p>
-Project Name: <input type="text" name="project" value="<?php echo 
$filters['r_project']?>" /> 
-Importance: <input type="text" name="importance" value="<?php echo 
$filters['r_importance']?>" /> 
-Quality: <input type="text" name="quality" value="<?php echo 
$filters['r_quality']?>" />
+Project Name: <input type="text" name="project" value="<?php echo 
htmlentities( $filters['r_project'] ); ?>" />
+Importance: <input type="text" name="importance" value="<?php echo 
htmlentities( $filters['r_importance'] ); ?>" />
+Quality: <input type="text" name="quality" value="<?php echo htmlentities( 
$filters['r_quality'] ); ?>" />
 <br />
-Categories (comma separated): <input type="text" name="categories" 
value="<?php echo $filters['categories']?>" />
+Categories (comma separated): <input type="text" name="categories" 
value="<?php echo htmlentities( $filters['categories'] ); ?>" />
 <input type="submit" id="submit-query" />
 </p>
 </form>
@@ -38,10 +38,10 @@
        </tr>   
        <?php foreach( $articles as $article ) { ?>
        <tr>
-       <td><?php echo $article['r_project'] ?></td>
-       <td><a href="<?php echo $article['title']->getLinkURL(); ?>"><?php echo 
$article['r_article']; ?></a></td>      
-       <td><?php echo $article['r_importance']; ?></td>        
-       <td><?php echo $article['r_quality']; ?></td>   
+       <td><?php echo htmlentities( $article['r_project'] ); ?></td>
+       <td><a href="<?php echo htmlentities( $article['title']->getLinkURL() 
); ?>"><?php echo htmlentities( $article['r_article'] ); ?></a></td>
+       <td><?php echo htmlentities( $article['r_importance'] ); ?></td>
+       <td><?php echo htmlentities( $article['r_quality'] ); ?></td>
        </tr>
        <?php } ?>
        </table>

Modified: trunk/extensions/GPoC/templates/SelectionTemplate.php
===================================================================
--- trunk/extensions/GPoC/templates/SelectionTemplate.php       2011-08-19 
15:03:08 UTC (rev 95004)
+++ trunk/extensions/GPoC/templates/SelectionTemplate.php       2011-08-19 
15:03:16 UTC (rev 95005)
@@ -12,7 +12,7 @@
 
 <div id="">
 <?php if( count($articles) > 0 ) { ?>
-<h3>Articles in Selection <?php echo $name; ?></h3> <small><a href="<?php echo 
$csv_link; ?>">Export CSV</a></small>
+<h3>Articles in Selection <?php echo htmlentities( $name ); ?></h3> <small><a 
href="<?php echo htmlentities( $csv_link ); ?>">Export CSV</a></small>
        <table>
        <tr>
                <th style="width:150px">Article</th>
@@ -21,17 +21,17 @@
                <th style="width:300px">Actions</th>
        </tr>   
        <?php foreach( $articles as $article ) { ?>
-       <tr class="article-row" data-namespace="<?php echo 
$article['s_namespace']; ?>" data-article="<?php echo $article['s_article']; 
?>">
-       <td><a href="<?php echo $article['title']->getLinkURL(); ?>"><?php echo 
$article['s_article']; ?></a></td>
+       <tr class="article-row" data-namespace="<?php echo htmlentities( 
$article['s_namespace'] ); ?>" data-article="<?php echo htmlentities( 
$article['s_article'] ); ?>">
+       <td><a href="<?php echo $article['title']->getLinkURL(); ?>"><?php echo 
htmlentities( $article['s_article'] ); ?></a></td>
        <td><?php echo wfTimeStamp( TS_ISO_8601, $article['s_timestamp'] );     
?></td>
        <td><?php if($article['s_revision'] != null) { ?>
-               <a href="<?php echo $article['title']->getLinkUrl(array('oldid' 
=> $article['s_revision'])); ?>" class="revision-link"><?php echo 
$article['s_revision']; ?></a>
+               <a href="<?php echo htmlentities( 
$article['title']->getLinkUrl( array( 'oldid' => $article['s_revision'] ) ) ); 
?>" class="revision-link"><?php echo htmlentities( $article['s_revision'] ); 
?></a>
                <?php } ?>
        </td>
        <td>
                <div class="item-actions">
                <div class="revision-input" style="display:none">
-                       <input type="text" class="revision-id" 
placeholder="Enter revision id" value="<?php echo $article['s_revision']; ?>" />
+                       <input type="text" class="revision-id" 
placeholder="Enter revision id" value="<?php echo htmlentities( 
$article['s_revision'] ); ?>" />
                        (<a href="#" class="revision-save">Save</a> | <a 
href="#" class="revision-cancel">Cancel</a>)
                </div>
                <a href="#" class="change-revision">Set Revision</a> |


_______________________________________________
MediaWiki-CVS mailing list
MediaWiki-CVS@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs

Reply via email to