Merge branch '2.3.x' into devel

2013-02-13 16:09:53 -05:00 · 2013-02-13 16:09:53 -05:00 · ec159131a8
commit ec159131a8
parent 04ed640756 30c47df93d
57 changed files with 4238 additions and 429 deletions
--- a/airtime_mvc/application/views/scripts/form/preferences_watched_dirs.phtml
+++ b/airtime_mvc/application/views/scripts/form/preferences_watched_dirs.phtml
@ -39,7 +39,7 @@
        <?php if (count($watched_dirs) > 0): ?>
            <?php foreach($watched_dirs as $watched_dir): ?>
                <dd class="block-display selected-item">
-                    <?php echo ($watched_dir->getExistsFlag())?"":"<span class='ui-icon-alert'><img src='/css/images/warning-icon.png'></span>"?><span id="folderPath" style="display:block; width:350px"><?php echo $watched_dir->getDirectory();?></span></span>
+                    <?php echo ($watched_dir->getExistsFlag())?"":"<span class='ui-icon-alert'><img src='/css/images/warning-icon.png'></span>"?><span id="folderPath" style="display:block; width:350px"><?php echo htmlspecialchars($watched_dir->getDirectory());?></span></span>
                    <span title="<?php echo _("Rescan watched directory (This is useful if it is network mount and may be out of sync with Airtime)")?>" class="ui-icon ui-icon-refresh"></span>
                    <span title="<?php echo _("Remove watched directory")?>" class="ui-icon ui-icon-close"></span>
                    
--- a/airtime_mvc/application/views/scripts/library/get-file-metadata.ajax.phtml
+++ b/airtime_mvc/application/views/scripts/library/get-file-metadata.ajax.phtml
@ -1,3 +1,9 @@
+<?php 
+//XSS exploit prevention
+foreach ($this->md as $key => &$value) {
+    $value = $this->escape($value);
+}
+?>
 <?php if($this->type == "audioclip") : ?>
 <table class='library-track-md'>
 <tr><td><? echo _("Title:"); ?></td><td><?php echo ($this->md["MDATA_KEY_TITLE"]);?></td></tr>
@ -41,9 +47,18 @@
 <span class='static'>o</span> <span><? echo _("Static Smart Block"); ?></span><br />
 <span>o</span> <span><? echo _("Audio Track"); ?></span>
 </div>
+
 <?php } ?>

    <?php if ($this->type == "playlist" || ($this->type == "block" && $this->blType == "Static")) {?>
+        <?php
+        //XSS exploit prevention
+        /*foreach ($this->contents as &$item) {
+            foreach ($item as $key => &$value) {
+                $value = $this->escape($value);
+            }
+        }*/
+        ?>
        <?php if ($this->type == "playlist") { ?>
            <div class='file-md-qtip-left'><span><? echo _("Playlist Contents: "); ?></span></div>
        <?php } else { ?>
@ -88,9 +103,13 @@
    <?php } elseif ($this->blType == "Dynamic") { ?>
        <div class='file-md-qtip-left'><span><? echo _("Dynamic Smart Block Criteria: "); ?></span></div>
        <table class='library-get-file-md table-small'>
-        <?php foreach ($this->contents["crit"] as $criterias) : ?>
-            <?php foreach ($criterias as $crit ) : ?>
+        <?php foreach ($this->contents["crit"] as &$criterias) : ?>
+            <?php foreach ($criterias as &$crit ) : ?>
                <?php
+                // XSS exploit prevention
+                //$crit["value"] = htmlspecialchars($crit["value"]);
+                //$crit["extra"] = htmlspecialchars($crit["extra"]);
+
                $valMaxStrLen = 25;
                if (strlen($crit["value"]) > $valMaxStrLen) {
                    $crit["value"] = substr($crit["value"], 0, 24)."...";
--- a/airtime_mvc/application/views/scripts/playlist/smart-block.phtml
+++ b/airtime_mvc/application/views/scripts/playlist/smart-block.phtml
@ -42,7 +42,7 @@ if (isset($this->obj)) {
            <a id="playlist_name_display" contenteditable="true">
            <?php
                if (isset($this->unsavedName)) echo $this->unsavedName;
-                else echo $this->obj->getName();
+                else echo $this->escape($this->obj->getName());
            ?>
            </a>
        </h3>
--- a/airtime_mvc/application/views/scripts/schedule/show-content-dialog.phtml
+++ b/airtime_mvc/application/views/scripts/schedule/show-content-dialog.phtml
@ -13,9 +13,9 @@
 <?php foreach($this->showContent as $row): ?>
    <tr id="au_<?php echo $row["item_id"] ?>" class="<?php if($i&1){echo "even";}else{echo "odd";}?>">
        <td><?php echo $row["starts"] ?></td>
-        <td><?php echo $row["track_title"] ?></td>
-        <td><?php echo $row["creator"] ?></td>
-        <td><?php echo $row["album"] ?></td>
+        <td><?php echo $this->escape($row["track_title"]) ?></td>
+        <td><?php echo $this->escape($row["creator"]) ?></td>
+        <td><?php echo $this->escape($row["album"]) ?></td>
        <td class="library_length"><?php echo $row["length"] ?></td>
        <td><?php echo $row["genre"] ?></td>
    </tr>
--- a/airtime_mvc/application/views/scripts/webstream/webstream.phtml
+++ b/airtime_mvc/application/views/scripts/webstream/webstream.phtml
@ -29,7 +29,7 @@
    <div class="playlist_title">
        <div id="name-error" class="errors" style="display:none;"></div>
        <h3 id="ws_name">
-            <a id="playlist_name_display" contenteditable="true"><?php echo $this->obj->getName(); ?></a>
+            <a id="playlist_name_display" contenteditable="true"><?php echo $this->escape($this->obj->getName()); ?></a>
        </h3>
        <h4 id="ws_length"><?php echo $this->obj->getDefaultLength(); ?></h4>
    </div>