diff options
| author | Greg Roach <fisharebest@gmail.com> | 2017-07-14 12:44:23 +0100 |
|---|---|---|
| committer | Greg Roach <fisharebest@gmail.com> | 2017-07-14 13:35:55 +0100 |
| commit | 8e9cdb727c36f76f647caf000fa4dc42fb0a9239 (patch) | |
| tree | b069b61d46077507de183cdce77bc5bee75d0a85 | |
| parent | 05b65cdc67f48edd7cdfee0c19322afaafce90c8 (diff) | |
| download | webtrees-8e9cdb727c36f76f647caf000fa4dc42fb0a9239.tar.gz webtrees-8e9cdb727c36f76f647caf000fa4dc42fb0a9239.tar.bz2 webtrees-8e9cdb727c36f76f647caf000fa4dc42fb0a9239.zip | |
Review escaping
| -rw-r--r-- | admin_media.php | 5 | ||||
| -rw-r--r-- | admin_users.php | 3 | ||||
| -rw-r--r-- | app/Module/GoogleMapsModule.php | 2 | ||||
| -rw-r--r-- | includes/session.php | 2 |
4 files changed, 5 insertions, 7 deletions
diff --git a/admin_media.php b/admin_media.php index 0c945b2831..98deb8c626 100644 --- a/admin_media.php +++ b/admin_media.php @@ -50,7 +50,7 @@ $delete_file = Filter::post('delete'); if ($delete_file) { $controller = new AjaxController; // Only delete valid (i.e. unused) media files - $media_folder = Filter::post('media_folder', null, ''); // MySQL needs an empty string, not NULL + $media_folder = Filter::post('media_folder'); $disk_files = all_disk_files($media_folder, '', 'include', ''); // Check file exists? Maybe it was already deleted or renamed. if (in_array($delete_file, $disk_files)) { @@ -312,9 +312,8 @@ case 'load_json': } } - $conf = I18N::translate('Are you sure you want to delete “%s”?', Html::escape($unused_file)); $delete_link = - '<p><a onclick="if (confirm(\'' . $conf . '\')) jQuery.post(\'admin_media.php\',{delete:\'' . Html::escape($media_path . $unused_file) . '\',media_folder:\'' . Html::escape($media_folder) . '\'},function(){location.reload();})" href="#">' . I18N::translate('Delete') . '</a></p>'; + '<p><a data-confirm="' . I18N::translate('Are you sure you want to delete “%s”?', Html::escape($unused_file)) . '" data-file="' . Html::escape($media_path . $unused_file) . '" data-folder="' . Html::escape($media_folder) . '" onclick="if (confirm(this.dataset.confirm)) jQuery.post(\'admin_media.php\',{delete: this.dataset.file, media_folder: this.dataset.folder},function(){location.reload();})" href="#">' . I18N::translate('Delete') . '</a></p>'; $data[] = [ mediaFileInfo($media_folder, $media_path, $unused_file) . $delete_link, diff --git a/admin_users.php b/admin_users.php index 9d0e5b3cfc..0dda504872 100644 --- a/admin_users.php +++ b/admin_users.php @@ -202,8 +202,7 @@ case 'load_json': $user_name = $datum[2]; if ($user_id != Auth::id()) { - $admin_options = '<li><a href="#" onclick="return masquerade(' . $user_id . ')"><i class="fa fa-fw fa-user"></i> ' . /* I18N: Pretend to be another user, by logging in as them */ - I18N::translate('Masquerade as this user') . '</a></li>' . '<li><a href="#" data-confirm="' . I18N::translate('Are you sure you want to delete “%s”?', Html::escape($user_name)) . '" onclick="delete_user(this.dataset.confirm, ' . Filter::escapeJs($user_id) . ');"><i class="fa fa-fw fa-trash-o"></i> ' . I18N::translate('Delete') . '</a></li>'; + $admin_options = '<li><a href="#" onclick="return masquerade(' . $user_id . ')"><i class="fa fa-fw fa-user"></i> ' . /* I18N: Pretend to be another user, by logging in as them */ I18N::translate('Masquerade as this user') . '</a></li>' . '<li><a href="#" data-confirm="' . I18N::translate('Are you sure you want to delete “%s”?', Html::escape($user_name)) . '" onclick="delete_user(this.dataset.confirm, ' . $user_id . ');"><i class="fa fa-fw fa-trash-o"></i> ' . I18N::translate('Delete') . '</a></li>'; } else { // Do not delete ourself! $admin_options = ''; diff --git a/app/Module/GoogleMapsModule.php b/app/Module/GoogleMapsModule.php index 8b1b7d93d7..4f2d29cbd1 100644 --- a/app/Module/GoogleMapsModule.php +++ b/app/Module/GoogleMapsModule.php @@ -2596,7 +2596,7 @@ class GoogleMapsModule extends AbstractModule implements ModuleConfigInterface, var map; var marker; var zoom; - var pl_name = '<?= Filter::escapeJs($record->pl_place) ?>'; + var pl_name = <?= json_encode($record->pl_place) ?>; var latlng = new google.maps.LatLng(<?= $latitude ?>, <?= $longitude ?>); var pl_zoom = <?= $record->pl_zoom ?>; var polygon1; diff --git a/includes/session.php b/includes/session.php index 092b576ad2..2379db328c 100644 --- a/includes/session.php +++ b/includes/session.php @@ -36,7 +36,7 @@ define('WT_VERSION', '1.8.0-dev'); define('WT_WEBTREES_URL', 'https://www.webtrees.net/'); // Resources have version numbers in the URL, so that they can be cached indefinitely. -define('WT_STATIC_URL', getenv('STATIC_URL')); // We could set this to load our own static resources from a cookie-free domain. +define('WT_STATIC_URL', (string) getenv('STATIC_URL')); // We could set this to load our own static resources from a cookie-free domain. define('WT_BOOTSTRAP_CSS_URL', 'https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-alpha.6/css/bootstrap.min.css'); define('WT_BOOTSTRAP_DATETIMEPICKER_CSS_URL', WT_STATIC_URL . 'packages/bootstrap-datetimepicker-4.17.37/css/bootstrap-datetimepicker.min.css'); |
