From eb0d7f2dc22069ba2b968f01c6cf53fc847d1394 Mon Sep 17 00:00:00 2001 From: stephen waite Date: Sat, 6 Jan 2024 12:09:36 -0500 Subject: [PATCH] chore: replace htmlspecialchars with escaping functions for recent commit (#7146) * chore: replace htmlspecialchars with escaping functions * fix ups * fix: mpdf fatal error * Jerry's catch * Brady's catch * revert for own issue/per --- library/custom_template/ajax_code.php | 32 +++++++++++++-------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/library/custom_template/ajax_code.php b/library/custom_template/ajax_code.php index ee0f9b80978..969fd7ac96c 100644 --- a/library/custom_template/ajax_code.php +++ b/library/custom_template/ajax_code.php @@ -50,12 +50,12 @@ sqlStatement("INSERT INTO template_users (tu_user_id,tu_template_id) VALUES (?,?)", array($_SESSION['authUserID'], $newid)); } echo ""; } @@ -91,12 +91,12 @@ $i = 0; while ($row = sqlFetchArray($res)) { $i++; - echo "" . text($i) . "" . htmlspecialchars($row['cl_list_item_long'], ENT_QUOTES) . ""; + echo "" . text($i) . "" . text($row['cl_list_item_long']) . ""; } echo ""; } else { echo ""; - echo ""; + echo ""; echo "
" . htmlspecialchars(xl('No items under selected category'), ENT_QUOTES) . "
" . xlt('No items under selected category') . "
"; } $Source = "add_template"; @@ -104,9 +104,9 @@ $sql = sqlStatement("SELECT * FROM template_users WHERE tu_template_id=? AND tu_user_id=?", array($item, $list_id)); $cnt = sqlNumRows($sql); if ($cnt) { - echo htmlspecialchars(xl("OK"), ENT_QUOTES); + echo xlt("OK"); } else { - echo htmlspecialchars(xl("FAIL"), ENT_QUOTES); + echo xlt("FAIL"); } $Source = "add_template"; } elseif ($Source == 'display_item') { @@ -115,7 +115,7 @@ echo ""; $Source = "add_template"; @@ -127,7 +127,7 @@ $i++; $users .= $i . ")" . $row['fname'] . " " . $row['lname'] . "\n"; } - echo htmlspecialchars($users, ENT_QUOTES); + echo text($users); $Source = "add_template"; } elseif ($Source == 'delete_full_category') { sqlStatement("UPDATE customlists SET cl_deleted=? WHERE cl_list_slno=?", array(1, $templateid)); @@ -157,22 +157,22 @@ $i = 0; while ($row = sqlFetchArray($res)) { $i++; - echo "
  • "; + echo "
  • "; if (AclMain::aclCheckCore('nationnotes', 'nn_configure')) { - echo ""; + echo ""; } - echo "
    " . htmlspecialchars($row['cl_list_item_long'], ENT_QUOTES) . "
    "; + echo "
    " . text($row['cl_list_item_long']) . "
    "; if (AclMain::aclCheckCore('nationnotes', 'nn_configure')) { - echo ""; - echo ""; + echo ""; + echo ""; } echo "
  • "; } if (AclMain::aclCheckCore('nationnotes', 'nn_configure') && $templateid) { - echo "
  • " . htmlspecialchars(xl('Click to add new components'), ENT_QUOTES); + echo "
  • " . xlt('Click to add new components'); echo "
  • "; + echo ""; } }