summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGreg Roach <fisharebest@gmail.com>2017-07-14 12:44:23 +0100
committerGreg Roach <fisharebest@gmail.com>2017-07-14 13:35:55 +0100
commit8e9cdb727c36f76f647caf000fa4dc42fb0a9239 (patch)
treeb069b61d46077507de183cdce77bc5bee75d0a85
parent05b65cdc67f48edd7cdfee0c19322afaafce90c8 (diff)
downloadwebtrees-8e9cdb727c36f76f647caf000fa4dc42fb0a9239.tar.gz
webtrees-8e9cdb727c36f76f647caf000fa4dc42fb0a9239.tar.bz2
webtrees-8e9cdb727c36f76f647caf000fa4dc42fb0a9239.zip
Review escaping
-rw-r--r--admin_media.php5
-rw-r--r--admin_users.php3
-rw-r--r--app/Module/GoogleMapsModule.php2
-rw-r--r--includes/session.php2
4 files changed, 5 insertions, 7 deletions
diff --git a/admin_media.php b/admin_media.php
index 0c945b2831..98deb8c626 100644
--- a/admin_media.php
+++ b/admin_media.php
@@ -50,7 +50,7 @@ $delete_file = Filter::post('delete');
if ($delete_file) {
$controller = new AjaxController;
// Only delete valid (i.e. unused) media files
- $media_folder = Filter::post('media_folder', null, ''); // MySQL needs an empty string, not NULL
+ $media_folder = Filter::post('media_folder');
$disk_files = all_disk_files($media_folder, '', 'include', '');
// Check file exists? Maybe it was already deleted or renamed.
if (in_array($delete_file, $disk_files)) {
@@ -312,9 +312,8 @@ case 'load_json':
}
}
- $conf = I18N::translate('Are you sure you want to delete “%s”?', Html::escape($unused_file));
$delete_link =
- '<p><a onclick="if (confirm(\'' . $conf . '\')) jQuery.post(\'admin_media.php\',{delete:\'' . Html::escape($media_path . $unused_file) . '\',media_folder:\'' . Html::escape($media_folder) . '\'},function(){location.reload();})" href="#">' . I18N::translate('Delete') . '</a></p>';
+ '<p><a data-confirm="' . I18N::translate('Are you sure you want to delete “%s”?', Html::escape($unused_file)) . '" data-file="' . Html::escape($media_path . $unused_file) . '" data-folder="' . Html::escape($media_folder) . '" onclick="if (confirm(this.dataset.confirm)) jQuery.post(\'admin_media.php\',{delete: this.dataset.file, media_folder: this.dataset.folder},function(){location.reload();})" href="#">' . I18N::translate('Delete') . '</a></p>';
$data[] = [
mediaFileInfo($media_folder, $media_path, $unused_file) . $delete_link,
diff --git a/admin_users.php b/admin_users.php
index 9d0e5b3cfc..0dda504872 100644
--- a/admin_users.php
+++ b/admin_users.php
@@ -202,8 +202,7 @@ case 'load_json':
$user_name = $datum[2];
if ($user_id != Auth::id()) {
- $admin_options = '<li><a href="#" onclick="return masquerade(' . $user_id . ')"><i class="fa fa-fw fa-user"></i> ' . /* I18N: Pretend to be another user, by logging in as them */
- I18N::translate('Masquerade as this user') . '</a></li>' . '<li><a href="#" data-confirm="' . I18N::translate('Are you sure you want to delete “%s”?', Html::escape($user_name)) . '" onclick="delete_user(this.dataset.confirm, ' . Filter::escapeJs($user_id) . ');"><i class="fa fa-fw fa-trash-o"></i> ' . I18N::translate('Delete') . '</a></li>';
+ $admin_options = '<li><a href="#" onclick="return masquerade(' . $user_id . ')"><i class="fa fa-fw fa-user"></i> ' . /* I18N: Pretend to be another user, by logging in as them */ I18N::translate('Masquerade as this user') . '</a></li>' . '<li><a href="#" data-confirm="' . I18N::translate('Are you sure you want to delete “%s”?', Html::escape($user_name)) . '" onclick="delete_user(this.dataset.confirm, ' . $user_id . ');"><i class="fa fa-fw fa-trash-o"></i> ' . I18N::translate('Delete') . '</a></li>';
} else {
// Do not delete ourself!
$admin_options = '';
diff --git a/app/Module/GoogleMapsModule.php b/app/Module/GoogleMapsModule.php
index 8b1b7d93d7..4f2d29cbd1 100644
--- a/app/Module/GoogleMapsModule.php
+++ b/app/Module/GoogleMapsModule.php
@@ -2596,7 +2596,7 @@ class GoogleMapsModule extends AbstractModule implements ModuleConfigInterface,
var map;
var marker;
var zoom;
- var pl_name = '<?= Filter::escapeJs($record->pl_place) ?>';
+ var pl_name = <?= json_encode($record->pl_place) ?>;
var latlng = new google.maps.LatLng(<?= $latitude ?>, <?= $longitude ?>);
var pl_zoom = <?= $record->pl_zoom ?>;
var polygon1;
diff --git a/includes/session.php b/includes/session.php
index 092b576ad2..2379db328c 100644
--- a/includes/session.php
+++ b/includes/session.php
@@ -36,7 +36,7 @@ define('WT_VERSION', '1.8.0-dev');
define('WT_WEBTREES_URL', 'https://www.webtrees.net/');
// Resources have version numbers in the URL, so that they can be cached indefinitely.
-define('WT_STATIC_URL', getenv('STATIC_URL')); // We could set this to load our own static resources from a cookie-free domain.
+define('WT_STATIC_URL', (string) getenv('STATIC_URL')); // We could set this to load our own static resources from a cookie-free domain.
define('WT_BOOTSTRAP_CSS_URL', 'https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-alpha.6/css/bootstrap.min.css');
define('WT_BOOTSTRAP_DATETIMEPICKER_CSS_URL', WT_STATIC_URL . 'packages/bootstrap-datetimepicker-4.17.37/css/bootstrap-datetimepicker.min.css');