Congegni/sintonia
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

XSS exploit prevention

Browse source 
- Calendar - Show Contents
- Playlist tooltip in Library page
- Adding track to a show
- Widgets
- Playlist/Webstream title and description
- Smart block expansion
This commit is contained in:
denise 2013-02-05 10:56:38 -05:00
parent b45f71e8f9
commit 74bc485b4b
8 changed files with 63 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

6
airtime_mvc/application/models/Block.php
View file

@ -257,6 +257,10 @@ SQL;
//format original length
$formatter = new LengthFormatter($row['orig_length']);
$row['orig_length'] = $formatter->format();
// XSS exploit prevention
$row["track_title"] = htmlspecialchars($row["track_title"]);
$row["creator"] = htmlspecialchars($row["creator"]);
}
return $rows;
@ -1241,7 +1245,7 @@ SQL;
foreach ($out as $crit) {
$criteria = $crit->getDbCriteria();
$modifier = $crit->getDbModifier();
$value = $crit->getDbValue();
$value = htmlspecialchars($crit->getDbValue());
$extra = $crit->getDbExtra();
if ($criteria == "limit") {

4
airtime_mvc/application/models/Playlist.php
View file

@ -269,6 +269,10 @@ SQL;
//format original length
$formatter = new LengthFormatter($row['orig_length']);
$row['orig_length'] = $formatter->format();
// XSS exploit prevention
$row["track_title"] = htmlspecialchars($row["track_title"]);
$row["creator"] = htmlspecialchars($row["creator"]);
}
return $rows;

6
airtime_mvc/application/models/ShowBuilder.php
View file

@ -275,9 +275,9 @@ class Application_Model_ShowBuilder
$formatter = new LengthFormatter(Application_Common_DateHelper::ConvertMSToHHMMSSmm($run_time*1000));
$row['runtime'] = $formatter->format();
$row["title"] = $p_item["file_track_title"];
$row["creator"] = $p_item["file_artist_name"];
$row["album"] = $p_item["file_album_title"];
$row["title"] = htmlspecialchars($p_item["file_track_title"]);
$row["creator"] = htmlspecialchars($p_item["file_artist_name"]);
$row["album"] = htmlspecialchars($p_item["file_album_title"]);
$row["cuein"] = $p_item["cue_in"];
$row["cueout"] = $p_item["cue_out"];