Merge branch 'saas-dev' into soundcloud
This commit is contained in:
Duncan Sommerville
commit
02e0537be9
|
|
@ -24,6 +24,7 @@ require_once "FileIO.php";
|
||||||
require_once "OsPath.php";
|
require_once "OsPath.php";
|
||||||
require_once "Database.php";
|
require_once "Database.php";
|
||||||
require_once "ProvisioningHelper.php";
|
require_once "ProvisioningHelper.php";
|
||||||
|
require_once "SecurityHelper.php";
|
||||||
require_once "GoogleAnalytics.php";
|
require_once "GoogleAnalytics.php";
|
||||||
require_once "Timezone.php";
|
require_once "Timezone.php";
|
||||||
require_once "Auth.php";
|
require_once "Auth.php";
|
||||||
|
|
|
||||||
|
|
@ -112,8 +112,12 @@ class ProvisioningHelper
|
||||||
$this->dbowner = $_POST['dbowner'];
|
$this->dbowner = $_POST['dbowner'];
|
||||||
$this->instanceId = $_POST['instanceid'];
|
$this->instanceId = $_POST['instanceid'];
|
||||||
|
|
||||||
$this->stationName = $_POST['station_name'];
|
if (isset($_POST['station_name'])) {
|
||||||
$this->description = $_POST['description'];
|
$this->stationName = $_POST['station_name'];
|
||||||
|
}
|
||||||
|
if (isset($_POST['description'])) {
|
||||||
|
$this->description = $_POST['description'];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
||||||
|
|
@ -1,11 +1,15 @@
|
||||||
<?php
|
<?php
|
||||||
/**
|
|
||||||
* Created by PhpStorm.
|
|
||||||
* User: asantoni
|
|
||||||
* Date: 12/06/15
|
|
||||||
* Time: 12:24 PM
|
|
||||||
*/
|
|
||||||
|
|
||||||
class SecurityHelper {
|
class SecurityHelper {
|
||||||
|
|
||||||
|
public static function htmlescape_recursive(&$arr) {
|
||||||
|
foreach ($arr as $key => $val) {
|
||||||
|
if (is_array($val)) {
|
||||||
|
self::htmlescape_recursive($arr[$key]);
|
||||||
|
} else if (is_string($val)) {
|
||||||
|
$arr[$key] = htmlspecialchars($val, ENT_QUOTES);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return $arr;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -46,13 +46,14 @@ class WidgetHelper
|
||||||
);
|
);
|
||||||
|
|
||||||
$result[$dow[$i]] = $shows;
|
$result[$dow[$i]] = $shows;
|
||||||
|
|
||||||
// XSS exploit prevention
|
|
||||||
self::convertSpecialChars($result, array("name", "url"));
|
|
||||||
// convert image paths to point to api endpoints
|
|
||||||
self::findAndConvertPaths($result);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// XSS exploit prevention
|
||||||
|
SecurityHelper::htmlescape_recursive($result);
|
||||||
|
|
||||||
|
// convert image paths to point to api endpoints
|
||||||
|
self::findAndConvertPaths($result);
|
||||||
|
|
||||||
return $result;
|
return $result;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -124,37 +125,18 @@ class WidgetHelper
|
||||||
}
|
}
|
||||||
$result[$weekCounter][$dayOfWeekCounter]["shows"] = $shows;
|
$result[$weekCounter][$dayOfWeekCounter]["shows"] = $shows;
|
||||||
|
|
||||||
// XSS exploit prevention
|
|
||||||
self::convertSpecialChars($result, array("name", "url"));
|
|
||||||
// convert image paths to point to api endpoints
|
|
||||||
self::findAndConvertPaths($result);
|
|
||||||
|
|
||||||
}
|
}
|
||||||
$weekCounter += 1;
|
$weekCounter += 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
return $result;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
// XSS exploit prevention
|
||||||
* Go through a given array and sanitize any potentially exploitable fields
|
SecurityHelper::htmlescape_recursive($result);
|
||||||
* by passing them through htmlspecialchars
|
|
||||||
*
|
// convert image paths to point to api endpoints
|
||||||
* @param unknown $arr the array to sanitize
|
self::findAndConvertPaths($result);
|
||||||
* @param unknown $keys indexes of values to be sanitized
|
|
||||||
*/
|
return $result;
|
||||||
public static function convertSpecialChars(&$arr, $keys)
|
|
||||||
{
|
|
||||||
foreach ($arr as &$a) {
|
|
||||||
if (is_array($a)) {
|
|
||||||
foreach ($keys as &$key) {
|
|
||||||
if (array_key_exists($key, $a)) {
|
|
||||||
$a[$key] = htmlspecialchars($a[$key]);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
self::convertSpecialChars($a, $keys);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
||||||
|
|
@ -199,9 +199,7 @@ class ApiController extends Zend_Controller_Action
|
||||||
} else {
|
} else {
|
||||||
$result = Application_Model_Schedule::GetPlayOrderRangeOld($limit);
|
$result = Application_Model_Schedule::GetPlayOrderRangeOld($limit);
|
||||||
}
|
}
|
||||||
|
|
||||||
// XSS exploit prevention
|
|
||||||
WidgetHelper::convertSpecialChars($result, array("name", "url"));
|
|
||||||
// apply user-defined timezone, or default to station
|
// apply user-defined timezone, or default to station
|
||||||
Application_Common_DateHelper::convertTimestampsToTimezone(
|
Application_Common_DateHelper::convertTimestampsToTimezone(
|
||||||
$result['currentShow'],
|
$result['currentShow'],
|
||||||
|
|
@ -218,6 +216,10 @@ class ApiController extends Zend_Controller_Action
|
||||||
$result["schedulerTime"] = Application_Common_DateHelper::UTCStringToTimezoneString($result["schedulerTime"], $timezone);
|
$result["schedulerTime"] = Application_Common_DateHelper::UTCStringToTimezoneString($result["schedulerTime"], $timezone);
|
||||||
$result["timezone"] = $upcase ? strtoupper($timezone) : $timezone;
|
$result["timezone"] = $upcase ? strtoupper($timezone) : $timezone;
|
||||||
$result["timezoneOffset"] = Application_Common_DateHelper::getTimezoneOffset($timezone);
|
$result["timezoneOffset"] = Application_Common_DateHelper::getTimezoneOffset($timezone);
|
||||||
|
|
||||||
|
// XSS exploit prevention
|
||||||
|
SecurityHelper::htmlescape_recursive($result);
|
||||||
|
|
||||||
// convert image paths to point to api endpoints
|
// convert image paths to point to api endpoints
|
||||||
WidgetHelper::findAndConvertPaths($result);
|
WidgetHelper::findAndConvertPaths($result);
|
||||||
|
|
||||||
|
|
@ -288,10 +290,12 @@ class ApiController extends Zend_Controller_Action
|
||||||
|
|
||||||
$result = Application_Model_Schedule::GetPlayOrderRange($utcTimeEnd, $showsToRetrieve);
|
$result = Application_Model_Schedule::GetPlayOrderRange($utcTimeEnd, $showsToRetrieve);
|
||||||
|
|
||||||
// XSS exploit prevention
|
|
||||||
WidgetHelper::convertSpecialChars($result, array("name", "url"));
|
|
||||||
// apply user-defined timezone, or default to station
|
// apply user-defined timezone, or default to station
|
||||||
$this->applyLiveTimezoneAdjustments($result, $timezone, $upcase);
|
$this->applyLiveTimezoneAdjustments($result, $timezone, $upcase);
|
||||||
|
|
||||||
|
// XSS exploit prevention
|
||||||
|
SecurityHelper::htmlescape_recursive($result);
|
||||||
|
|
||||||
// convert image paths to point to api endpoints
|
// convert image paths to point to api endpoints
|
||||||
WidgetHelper::findAndConvertPaths($result);
|
WidgetHelper::findAndConvertPaths($result);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -28,7 +28,7 @@ class EmbedController extends Zend_Controller_Action
|
||||||
$this->view->jquery = Application_Common_HTTPHelper::getStationUrl() . "js/libs/jquery-1.10.2.js";
|
$this->view->jquery = Application_Common_HTTPHelper::getStationUrl() . "js/libs/jquery-1.10.2.js";
|
||||||
$this->view->muses_swf = Application_Common_HTTPHelper::getStationUrl() . "js/airtime/player/muses.swf";
|
$this->view->muses_swf = Application_Common_HTTPHelper::getStationUrl() . "js/airtime/player/muses.swf";
|
||||||
$this->view->metadata_api_url = Application_Common_HTTPHelper::getStationUrl() . "api/live-info";
|
$this->view->metadata_api_url = Application_Common_HTTPHelper::getStationUrl() . "api/live-info";
|
||||||
$this->view->player_title = json_encode($request->getParam('title'));
|
$this->view->player_title = json_encode($this->view->escape($request->getParam('title')));
|
||||||
|
|
||||||
$styleParam = $request->getParam('style');
|
$styleParam = $request->getParam('style');
|
||||||
$player_style = isset($styleParam) ? $styleParam : "basic";
|
$player_style = isset($styleParam) ? $styleParam : "basic";
|
||||||
|
|
@ -98,7 +98,7 @@ class EmbedController extends Zend_Controller_Action
|
||||||
$weeklyScheduleData = WidgetHelper::getWeekInfoV2($this->getRequest()->getParam("timezone"));
|
$weeklyScheduleData = WidgetHelper::getWeekInfoV2($this->getRequest()->getParam("timezone"));
|
||||||
|
|
||||||
// Return only the current week's schedule data. In the future we may use the next week's data.
|
// Return only the current week's schedule data. In the future we may use the next week's data.
|
||||||
$this->view->weeklyScheduleData = $weeklyScheduleData[0];
|
$this->view->weeklyScheduleData = ($weeklyScheduleData[0]);
|
||||||
|
|
||||||
$currentDay = new DateTime("now", new DateTimeZone(Application_Model_Preference::GetTimezone()));
|
$currentDay = new DateTime("now", new DateTimeZone(Application_Model_Preference::GetTimezone()));
|
||||||
//day of the month without leading zeros (1 to 31)
|
//day of the month without leading zeros (1 to 31)
|
||||||
|
|
|
||||||
|
|
@ -407,7 +407,7 @@ class LibraryController extends Zend_Controller_Action
|
||||||
$this->view->sEcho = $r["sEcho"];
|
$this->view->sEcho = $r["sEcho"];
|
||||||
$this->view->iTotalDisplayRecords = $r["iTotalDisplayRecords"];
|
$this->view->iTotalDisplayRecords = $r["iTotalDisplayRecords"];
|
||||||
$this->view->iTotalRecords = $r["iTotalRecords"];
|
$this->view->iTotalRecords = $r["iTotalRecords"];
|
||||||
$this->view->files = $r["aaData"];
|
$this->view->files = SecurityHelper::htmlescape_recursive($r["aaData"]);
|
||||||
}
|
}
|
||||||
|
|
||||||
public function editFileMdAction()
|
public function editFileMdAction()
|
||||||
|
|
|
||||||
|
|
@ -89,6 +89,7 @@ class PlayouthistoryController extends Zend_Controller_Action
|
||||||
$this->view->iTotalDisplayRecords = $r["iTotalDisplayRecords"];
|
$this->view->iTotalDisplayRecords = $r["iTotalDisplayRecords"];
|
||||||
$this->view->iTotalRecords = $r["iTotalRecords"];
|
$this->view->iTotalRecords = $r["iTotalRecords"];
|
||||||
$this->view->history = $r["history"];
|
$this->view->history = $r["history"];
|
||||||
|
$this->view->history = SecurityHelper::htmlescape_recursive($this->view->history);
|
||||||
}
|
}
|
||||||
catch (Exception $e) {
|
catch (Exception $e) {
|
||||||
Logging::info($e);
|
Logging::info($e);
|
||||||
|
|
@ -112,7 +113,9 @@ class PlayouthistoryController extends Zend_Controller_Action
|
||||||
$this->view->iTotalDisplayRecords = $r["iTotalDisplayRecords"];
|
$this->view->iTotalDisplayRecords = $r["iTotalDisplayRecords"];
|
||||||
$this->view->iTotalRecords = $r["iTotalRecords"];
|
$this->view->iTotalRecords = $r["iTotalRecords"];
|
||||||
$this->view->history = $r["history"];
|
$this->view->history = $r["history"];
|
||||||
}
|
$this->view->history = SecurityHelper::htmlescape_recursive($this->view->history);
|
||||||
|
|
||||||
|
}
|
||||||
catch (Exception $e) {
|
catch (Exception $e) {
|
||||||
Logging::info($e);
|
Logging::info($e);
|
||||||
Logging::info($e->getMessage());
|
Logging::info($e->getMessage());
|
||||||
|
|
@ -130,6 +133,7 @@ class PlayouthistoryController extends Zend_Controller_Action
|
||||||
|
|
||||||
$historyService = new Application_Service_HistoryService();
|
$historyService = new Application_Service_HistoryService();
|
||||||
$shows = $historyService->getShowList($startsDT, $endsDT);
|
$shows = $historyService->getShowList($startsDT, $endsDT);
|
||||||
|
$shows = SecurityHelper::htmlescape_recursive($shows);
|
||||||
|
|
||||||
$this->_helper->json->sendJson($shows);
|
$this->_helper->json->sendJson($shows);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -112,6 +112,6 @@ class PluploadController extends Zend_Controller_Action
|
||||||
$this->view->sEcho = intval($request->getParam('sEcho'));
|
$this->view->sEcho = intval($request->getParam('sEcho'));
|
||||||
$this->view->iTotalDisplayRecords = $numTotalDisplayUploads;
|
$this->view->iTotalDisplayRecords = $numTotalDisplayUploads;
|
||||||
$this->view->iTotalRecords = $numTotalRecentUploads;
|
$this->view->iTotalRecords = $numTotalRecentUploads;
|
||||||
$this->view->files = $uploadsArray;
|
$this->view->files = SecurityHelper::htmlescape_recursive($uploadsArray);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -980,7 +980,7 @@ class Application_Service_HistoryService
|
||||||
$this->populateTemplateItem($values, $id, $instanceId);
|
$this->populateTemplateItem($values, $id, $instanceId);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$json["form"] = $form;
|
$json["form"] = SecurityHelper::htmlescape_recursive($form);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $json;
|
return $json;
|
||||||
|
|
@ -1008,7 +1008,8 @@ class Application_Service_HistoryService
|
||||||
$this->populateTemplateFile($values, $id);
|
$this->populateTemplateFile($values, $id);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$json["error"] = $msgs;
|
$json["error"] = $form->getErrorMessages();
|
||||||
|
$json["error"] = SecurityHelper::htmlescape_recursive($json["error"]);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $json;
|
return $json;
|
||||||
|
|
|
||||||
|
|
@ -54,7 +54,7 @@ if (isset($this->obj)) {
|
||||||
<dl class="zend_form">
|
<dl class="zend_form">
|
||||||
<dt id="description-label"><label for="description"><?php echo _("Description") ?></label></dt>
|
<dt id="description-label"><label for="description"><?php echo _("Description") ?></label></dt>
|
||||||
<dd id="description-element">
|
<dd id="description-element">
|
||||||
<textarea cols="80" rows="24" id="description" name="description"><?php echo $this->obj->getDescription(); ?></textarea>
|
<textarea cols="80" rows="24" id="description" name="description"><?php echo $this->escape($this->obj->getDescription()); ?></textarea>
|
||||||
</dd>
|
</dd>
|
||||||
</dl>
|
</dl>
|
||||||
</fieldset>
|
</fieldset>
|
||||||
|
|
|
||||||
|
|
@ -3,8 +3,7 @@
|
||||||
</head>
|
</head>
|
||||||
|
|
||||||
<?php
|
<?php
|
||||||
/* Disabling most of the status page for Airtime Pro
|
/* Airtime Pro
|
||||||
|
|
||||||
$phpDependencies = checkPhpDependencies();
|
$phpDependencies = checkPhpDependencies();
|
||||||
$externalServices = checkExternalServices();
|
$externalServices = checkExternalServices();
|
||||||
$zend = $phpDependencies["zend"];
|
$zend = $phpDependencies["zend"];
|
||||||
|
|
|
||||||
|
|
@ -26,6 +26,7 @@ body {
|
||||||
|
|
||||||
.logo img {
|
.logo img {
|
||||||
margin: 40px 0px 0px 60px;
|
margin: 40px 0px 0px 60px;
|
||||||
|
max-width: 180px;
|
||||||
}
|
}
|
||||||
|
|
||||||
.login-btn {
|
.login-btn {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue