summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFrédéric Guillot <contact@fredericguillot.com>2014-02-24 18:29:09 -0500
committerFrédéric Guillot <contact@fredericguillot.com>2014-02-24 18:29:09 -0500
commit8159cc99a64cfe563dccea6821348764fc40fb85 (patch)
tree9904848c2d517ff8e5a28e47d31aa17e7cfd9c70
parent64e2e072294563b7c834382c2de631687f235fe8 (diff)
Improve HTML escaping
-rw-r--r--lib/translator.php6
-rw-r--r--templates/board_remove.php2
-rw-r--r--templates/config_index.php9
-rw-r--r--templates/project_remove.php2
-rw-r--r--templates/user_index.php2
-rw-r--r--templates/user_remove.php2
6 files changed, 14 insertions, 9 deletions
diff --git a/lib/translator.php b/lib/translator.php
index d9d9a84a..75d40a23 100644
--- a/lib/translator.php
+++ b/lib/translator.php
@@ -11,6 +11,10 @@ namespace Translator {
\array_shift($args);
\array_unshift($args, get($identifier, $identifier));
+ foreach ($args as &$arg) {
+ $arg = htmlspecialchars($arg, ENT_QUOTES, 'UTF-8', false);
+ }
+
return \call_user_func_array(
'sprintf',
$args
@@ -77,7 +81,6 @@ namespace Translator {
foreach ($dir as $fileinfo) {
if (strpos($fileinfo->getFilename(), '.php') !== false) {
-
$locales = array_merge($locales, include $fileinfo->getPathname());
}
}
@@ -91,7 +94,6 @@ namespace Translator {
static $values = array();
if ($locales !== null) {
-
$values = $locales;
}
diff --git a/templates/board_remove.php b/templates/board_remove.php
index c95c8a28..b406eb38 100644
--- a/templates/board_remove.php
+++ b/templates/board_remove.php
@@ -5,7 +5,7 @@
<div class="confirm">
<p class="alert alert-info">
- <?= t('Do you really want to remove this column: "%s"?', Helper\escape($column['title'])) ?>
+ <?= t('Do you really want to remove this column: "%s"?', $column['title']) ?>
<?= t('This action will REMOVE ALL TASKS associated to this column!') ?>
</p>
diff --git a/templates/config_index.php b/templates/config_index.php
index 5012538a..d94ee8b9 100644
--- a/templates/config_index.php
+++ b/templates/config_index.php
@@ -27,7 +27,10 @@
<?= t('Webhooks token:') ?>
<strong><?= Helper\escape($values['webhooks_token']) ?></strong>
</li>
- <li><?= t('Database size:') ?> <strong><?= Helper\format_bytes($db_size) ?></strong></li>
+ <li>
+ <?= t('Database size:') ?>
+ <strong><?= Helper\format_bytes($db_size) ?></strong>
+ </li>
<li>
<a href="?controller=config&amp;action=downloadDb"><?= t('Download the database') ?></a>
<?= t('(Gzip compressed Sqlite file)') ?>
@@ -38,7 +41,7 @@
</li>
<li>
<?= t('Official website:') ?>
- <a href="http://kanboard.net/" target="_blank">http://kanboard.net/</a>
+ <a href="http://kanboard.net/" target="_blank" rel="noreferer">http://kanboard.net/</a>
</li>
<li>
<?= t('Application version:') ?>
@@ -55,7 +58,7 @@
<ul>
<li>
<strong><?= t('My default project:') ?> </strong>
- <?= (isset($user['default_project_id']) && isset($projects[$user['default_project_id']])) ? $projects[$user['default_project_id']] : t('None') ?>,
+ <?= (isset($user['default_project_id']) && isset($projects[$user['default_project_id']])) ? Helper\escape($projects[$user['default_project_id']]) : t('None') ?>,
<a href="?controller=user&amp;action=edit&amp;user_id=<?= $user['id'] ?>"><?= t('edit') ?></a>
</li>
</ul>
diff --git a/templates/project_remove.php b/templates/project_remove.php
index f63c4031..e9f213b5 100644
--- a/templates/project_remove.php
+++ b/templates/project_remove.php
@@ -5,7 +5,7 @@
<div class="confirm">
<p class="alert alert-info">
- <?= t('Do you really want to remove this project: "%s"?', Helper\escape($project['name'])) ?>
+ <?= t('Do you really want to remove this project: "%s"?', $project['name']) ?>
</p>
<div class="form-actions">
diff --git a/templates/user_index.php b/templates/user_index.php
index 4b539599..ccc955fc 100644
--- a/templates/user_index.php
+++ b/templates/user_index.php
@@ -27,7 +27,7 @@
<?= $user['is_admin'] ? t('Yes') : t('No') ?>
</td>
<td>
- <?= (isset($user['default_project_id']) && isset($projects[$user['default_project_id']])) ? $projects[$user['default_project_id']] : t('None'); ?>
+ <?= (isset($user['default_project_id']) && isset($projects[$user['default_project_id']])) ? Helper\escape($projects[$user['default_project_id']]) : t('None'); ?>
</td>
<td>
<?php if (Helper\is_admin() || Helper\is_current_user($user['id'])): ?>
diff --git a/templates/user_remove.php b/templates/user_remove.php
index e1dc6f7b..a4db2e4a 100644
--- a/templates/user_remove.php
+++ b/templates/user_remove.php
@@ -4,7 +4,7 @@
</div>
<div class="confirm">
- <p class="alert alert-info"><?= t('Do you really want to remove this user: "%s"?', Helper\escape($user['username'])) ?></p>
+ <p class="alert alert-info"><?= t('Do you really want to remove this user: "%s"?', $user['username']) ?></p>
<div class="form-actions">
<a href="?controller=user&amp;action=remove&amp;user_id=<?= $user['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a>