CC-4894: Need to filter output for potential XSS exploits

-fixed few areas
2013-01-29 15:17:29 -05:00 · 2013-01-29 15:17:29 -05:00 · b15c4569eb
commit b15c4569eb
parent 9d4e0d2dd1
9 changed files with 20 additions and 9 deletions
--- a/airtime_mvc/application/views/scripts/form/edit-user.phtml
+++ b/airtime_mvc/application/views/scripts/form/edit-user.phtml
@ -1,4 +1,4 @@
-<h2><? echo sprintf(_("%s's Settings"), $this->currentUser) ?></h2>
+<h2><? echo sprintf(_("%s's Settings"), $this->escape($this->currentUser)) ?></h2>
 <div id="current-user-container">
 <form id="current-user-form" class="edit-user-global" method="post" enctype="application/x-www-form-urlencoded">
    <dl class="zend_form">
@ -160,4 +160,4 @@
        <button type="submit" id="cu_save_user" class="btn btn-small right-floated"><?php echo _("Save")?></button>
    </dl>
 </form>
-</div>
+</div>
--- a/airtime_mvc/application/views/scripts/form/preferences_watched_dirs.phtml
+++ b/airtime_mvc/application/views/scripts/form/preferences_watched_dirs.phtml
@ -11,7 +11,7 @@
            <?php if($this->element->getElement('storageFolder')->hasErrors()) : ?>
                <ul class='errors'>
                    <?php foreach($this->element->getElement('storageFolder')->getMessages() as $error): ?>
-                        <li><?php echo $error; ?></li>
+                        <li><?php echo $this->escape($error); ?></li>
                    <?php endforeach; ?>
                </ul>
            <?php endif; ?>
@ -29,7 +29,7 @@
            <?php if($this->element->getElement('watchedFolder')->hasErrors()) : ?>
                <ul class='errors'>
                    <?php foreach($this->element->getElement('watchedFolder')->getMessages() as $error): ?>
-                        <li><?php echo $error; ?></li>
+                        <li><?php echo $this->escape($error); ?></li>
                    <?php endforeach; ?>
                </ul>
            <?php endif; ?>
--- a/airtime_mvc/application/views/scripts/playlist/playlist.phtml
+++ b/airtime_mvc/application/views/scripts/playlist/playlist.phtml
@ -39,7 +39,7 @@ if (isset($this->obj)) {
    <input id='obj_type' type='hidden' value='playlist'></input>
    <div class="playlist_title">
        <h3 id="obj_name">
-            <a id="playlist_name_display" contenteditable="true"><?php echo $this->obj->getName(); ?></a>
+            <a id="playlist_name_display" contenteditable="true"><?php echo $this->escape($this->obj->getName()); ?></a>
        </h3>
        <h4 id="obj_length"><?php echo $this->length; ?></h4>
    </div>