diff --git a/htdocs/admin/users/edit.php b/htdocs/admin/users/edit.php index 7f791d9..fa0a143 100644 --- a/htdocs/admin/users/edit.php +++ b/htdocs/admin/users/edit.php @@ -431,7 +431,7 @@ $smarty->assign('institutions', count($allinstitutions) > 1); $smarty->assign('institutionform', $institutionform); if ($id != $USER->get('id') && is_null($USER->get('parentuser'))) { - $loginas = get_string('loginasuser', 'admin', $user->username); + $loginas = get_string('loginasuser', 'admin', hsc($user->username)); } else { $loginas = null; } diff --git a/htdocs/artefact/blog/lib.php b/htdocs/artefact/blog/lib.php index e10a66e..8cf8d4b 100644 --- a/htdocs/artefact/blog/lib.php +++ b/htdocs/artefact/blog/lib.php @@ -210,10 +210,10 @@ class ArtefactTypeBlog extends ArtefactType { if (isset($options['viewid'])) { $smarty->assign('artefacttitle', '' . $this->get('title') . ''); + . '">' . hsc($this->get('title')) . ''); } else { - $smarty->assign('artefacttitle', $this->get('title')); + $smarty->assign('artefacttitle', hsc($this->get('title'))); } $smarty->assign('blockid', $blockid); @@ -221,7 +221,7 @@ class ArtefactTypeBlog extends ArtefactType { $smarty->assign('enc_id', json_encode($this->id)); $smarty->assign('limit', self::pagination); $smarty->assign('loading_img', theme_get_url('images/loading.gif')); - $smarty->assign('description', $this->get('description')); + $smarty->assign('description', clean_text($this->get('description'))); // Remove unnecessary options for blog posts unset($options['hidetitle']); @@ -415,15 +415,15 @@ class ArtefactTypeBlogPost extends ArtefactType { if (isset($options['viewid'])) { $smarty->assign('artefacttitle', '' . $this->get('title') . ''); + . '">' . hsc($this->get('title')) . ''); } else { - $smarty->assign('artefacttitle', $this->get('title')); + $smarty->assign('artefacttitle', hsc($this->get('title'))); } } // We need to make sure that the images in the post have the right viewid associated with them - $postcontent = $this->get('description'); + $postcontent = clean_text($this->get('description')); if (isset($options['viewid'])) { safe_require('artefact', 'file'); $postcontent = ArtefactTypeFolder::append_view_url($postcontent, $options['viewid']); @@ -553,6 +553,9 @@ class ArtefactTypeBlogPost extends ArtefactType { $result[$file->blogpost]->files[] = $file; } } + foreach ($result as &$post) { + $post->description = clean_text($post->description); + } } return array($count, array_values($result)); diff --git a/htdocs/artefact/blog/theme/default/editpost.tpl b/htdocs/artefact/blog/theme/default/editpost.tpl index 9b1120e..dec5ec5 100644 --- a/htdocs/artefact/blog/theme/default/editpost.tpl +++ b/htdocs/artefact/blog/theme/default/editpost.tpl @@ -9,7 +9,7 @@ {include file="sidebar.tpl"} {include file="columnleftstart.tpl"} -

{$pagetitle}

+

{$pagetitle|escape}

{$textinputform}
diff --git a/htdocs/artefact/blog/theme/default/render/blogpost_renderfull.tpl b/htdocs/artefact/blog/theme/default/render/blogpost_renderfull.tpl index bc2f23d..1754212 100644 --- a/htdocs/artefact/blog/theme/default/render/blogpost_renderfull.tpl +++ b/htdocs/artefact/blog/theme/default/render/blogpost_renderfull.tpl @@ -11,7 +11,7 @@ {foreach from=$attachments item=item} - {$item->title} ({$item->size}) - {str tag=Download section=artefact.file} + {$item->title|escape} ({$item->size}) - {str tag=Download section=artefact.file}
{$item->description|escape} {/foreach} diff --git a/htdocs/artefact/file/blocktype/image/lib.php b/htdocs/artefact/file/blocktype/image/lib.php index f5baa53..108feb8 100644 --- a/htdocs/artefact/file/blocktype/image/lib.php +++ b/htdocs/artefact/file/blocktype/image/lib.php @@ -71,7 +71,7 @@ class PluginBlocktypeImage extends PluginBlocktype { $description = (is_a($image, 'ArtefacttypeImage')) ? $image->get('description') : $image->get('title'); if (!empty($configdata['showdescription']) && $description) { - $result .= '

' . $description . '

'; + $result .= '

' . hsc($description) . '

'; } $result .= '
'; } diff --git a/htdocs/artefact/file/theme/default/file_render_self.tpl b/htdocs/artefact/file/theme/default/file_render_self.tpl index 1ea07c8..86d27e6 100644 --- a/htdocs/artefact/file/theme/default/file_render_self.tpl +++ b/htdocs/artefact/file/theme/default/file_render_self.tpl @@ -6,7 +6,7 @@ - + diff --git a/htdocs/artefact/file/theme/default/folder_render_self.tpl b/htdocs/artefact/file/theme/default/folder_render_self.tpl index 3e9427a..1a5cfbc 100644 --- a/htdocs/artefact/file/theme/default/folder_render_self.tpl +++ b/htdocs/artefact/file/theme/default/folder_render_self.tpl @@ -20,7 +20,7 @@ - + {if !$simpledisplay}{/if} {/foreach} diff --git a/htdocs/artefact/resume/theme/default/fragments/personalinformation.tpl b/htdocs/artefact/resume/theme/default/fragments/personalinformation.tpl index 1953c21..8f56c78 100644 --- a/htdocs/artefact/resume/theme/default/fragments/personalinformation.tpl +++ b/htdocs/artefact/resume/theme/default/fragments/personalinformation.tpl @@ -1,8 +1,8 @@
{str tag=Type section=artefact.file}:{$filetype}
{str tag=Description section=artefact.file}:{$description|escape}
{str tag=Owner section=artefact.file}:{$owner}
{str tag=Owner section=artefact.file}:{$owner|escape}
{str tag=Created section=artefact.file}:{$created}
{str tag=lastmodified section=artefact.file}:{$modified}
{str tag=Size section=artefact.file}:{$size|escape}
{$child->artefacttype|escape} {$child->title}{$child->description}{$child->description|escape}{$child->date}
{foreach from=$fields key='field' item='value'} - - + + {/foreach}
{$field}{$value}{$field|escape}{$value|escape}
diff --git a/htdocs/lib/web.php b/htdocs/lib/web.php index 430e908..f9456b2 100644 --- a/htdocs/lib/web.php +++ b/htdocs/lib/web.php @@ -440,7 +440,7 @@ EOF; if ($USER->get('parentuser')) { $smarty->assign('USERMASQUERADING', true); - $smarty->assign('masqueradedetails', get_string('youaremasqueradingas', 'mahara', display_name($USER))); + $smarty->assign('masqueradedetails', get_string('youaremasqueradingas', 'mahara', hsc(display_name($USER)))); $smarty->assign('becomeyouagain', ' ' . get_string('becomeadminagain', 'admin', $USER->get('parentuser')->name) diff --git a/htdocs/theme/default/templates/admin/users/edit.tpl b/htdocs/theme/default/templates/admin/users/edit.tpl index 028f753..aef9ed5 100644 --- a/htdocs/theme/default/templates/admin/users/edit.tpl +++ b/htdocs/theme/default/templates/admin/users/edit.tpl @@ -2,7 +2,7 @@ {include file="columnfullstart.tpl"}
-

{$user->firstname} {$user->lastname} ({$user->username})

+

{$user|display_name|escape}

{if !empty($loginas)}
{$loginas}
{/if} diff --git a/htdocs/theme/default/templates/searchresulttable.tpl b/htdocs/theme/default/templates/searchresulttable.tpl index 1031502..a836dc9 100644 --- a/htdocs/theme/default/templates/searchresulttable.tpl +++ b/htdocs/theme/default/templates/searchresulttable.tpl @@ -26,7 +26,7 @@ {foreach from=$results.data item=r} {foreach from=$cols key=f item=c} - {if empty($c.template)}{$r[$f]}{else}{eval var=$c.template}{/if} + {if empty($c.template)}{$r[$f]|escape}{else}{eval var=$c.template}{/if} {/foreach} {/foreach} diff --git a/htdocs/theme/default/templates/user/view.tpl b/htdocs/theme/default/templates/user/view.tpl index 0c3093c..e025d84 100644 --- a/htdocs/theme/default/templates/user/view.tpl +++ b/htdocs/theme/default/templates/user/view.tpl @@ -10,7 +10,7 @@ {/if}
- {$introduction} + {$introduction|clean_text}
@@ -39,12 +39,12 @@
    {foreach from=$USERFIELDS name=userfields key=key item=item} -
  • {$item}
    • +
  • {$item|escape}
    • {/foreach}
{if $relationship == 'pending'}
- {str tag='whymakemeyourfriend' section='group'} {$message} + {str tag='whymakemeyourfriend' section='group'} {$message|escape} {$requestform}
{/if} @@ -57,7 +57,7 @@

{$item->title|escape}

{if $item->description} - {$item->description} + {$item->description|clean_text} {/if} {if $item->description && $item->artefacts}
{/if} {if $item->artefacts} @@ -80,7 +80,7 @@

{$item->name|escape} - {str tag=$item->type section=group}

{if $item->description} - {$item->description} + {$item->description|clean_text} {/if} diff --git a/htdocs/user/view.php b/htdocs/user/view.php index ed72e98..f128e36 100644 --- a/htdocs/user/view.php +++ b/htdocs/user/view.php @@ -332,7 +332,7 @@ if ($loggedinid != $userid) { } if ($userid != $USER->get('id') && $USER->is_admin_for_user($user) && is_null($USER->get('parentuser'))) { - $loginas = get_string('loginasuser', 'admin', $user->username); + $loginas = get_string('loginasuser', 'admin', hsc($user->username)); } else { $loginas = null; } diff --git a/htdocs/view/artefact.php b/htdocs/view/artefact.php index 9094632..8559742 100644 --- a/htdocs/view/artefact.php +++ b/htdocs/view/artefact.php @@ -87,13 +87,13 @@ $artefactpath[] = array( 'title' => $artefact->display_title(), ); -$heading = '' . hsc($view->get('title')) . ' ' . get_string('by', 'view') . ' ' . $view->formatted_owner() . ''; +$heading = '' . hsc($view->get('title')) . ' ' . get_string('by', 'view') . ' ' . hsc($view->formatted_owner()) . ''; foreach ($artefactpath as $item) { if (empty($item['url'])) { - $heading .= ': ' . $item['title']; + $heading .= ': ' . hsc($item['title']); } else { - $heading .= ': ' . $item['title'] . ''; + $heading .= ': ' . hsc($item['title']) . ''; } } diff --git a/htdocs/view/view.php b/htdocs/view/view.php index ebe6fde..4113f28 100644 --- a/htdocs/view/view.php +++ b/htdocs/view/view.php @@ -49,7 +49,7 @@ if ($new) { else { $heading = '' . hsc($view->get('title')) . ''; } -$heading .= ' ' . get_string('by', 'view') . ' ' . $view->formatted_owner() . ''; +$heading .= ' ' . get_string('by', 'view') . ' ' . hsc($view->formatted_owner()) . ''; $tutorfilefeedbackformrow = '';