Ticket #57: ticket-57 v1.diff

File ticket-57 v1.diff, 3.0 KB (added by Christian Beer, 17 years ago)

This patch will encode all umlauts and other strange characters within teamname, team description and username into proper html entities. User and teams with such strange characters in their names should edit their names after this patch was applied at there project.

  • html/inc/db.inc

     
    172172    return $str;
    173173}
    174174
    175 ?>
     175// Convert to entities, while preserving already-encoded entities.
     176// Do NOT use if $str contains valid HTML tags.
     177function boinc_htmlentities($str) {
     178    $str = html_entity_decode($str, ENT_COMPAT, "UTF-8");
     179    $str = htmlentities($str, ENT_COMPAT, "UTF-8");
     180    return $str;
     181}
     182
     183?>
     184 No newline at end of file

  • html/user/edit_user_info_action.php

     
    88db_init();
    99$user = get_logged_in_user();
    1010
    11 $name = process_user_text(post_str("user_name"));
     11$name =  boinc_htmlentities(process_user_text(post_str("user_name")));
    1212if ($name != strip_tags($name)) {
    1313    error_page("HTML tags not allowed in name");
    1414}

  • html/user/team_create_action.php

     
    88
    99$user = get_logged_in_user();
    1010
    11 $name = process_user_text(strip_tags(post_str("name")));
     11$name = boinc_htmlentities(process_user_text(strip_tags(post_str("name"))));
    1212if (strlen($name) == 0) {
    1313    error_page("Must set team name");
    1414}
     
    1717if (strstr($url, "http://")) {
    1818    $url = substr($url, 7);
    1919}
    20 $type = process_user_text(strip_tags(post_str("type", true))); 
     20$type = process_user_text(strip_tags(post_str("type", true)));
    2121if (!is_valid_team_type($type)) {
    2222    $type = 'None';
    2323}
    2424
    2525$name_html = process_user_text(post_str("name_html", true));
    26 $description = process_user_text(post_str("description", true));
     26$description = boinc_htmlentities(process_user_text(post_str("description", true)));
    2727$country = process_user_text(post_str("country", true));
    2828
    2929if (!is_valid_country($country)) {

  • html/user/team_edit_action.php

     
    1818    if ($x) {
    1919        $team_url = substr($team_url, 7);
    2020    }
    21     $team_name = process_user_text(strip_tags(post_str("name")));
     21    $team_name = boinc_htmlentities(process_user_text(strip_tags(post_str("name"))));
    2222    $team_name_lc = strtolower($team_name);
    2323    $team_name_html = process_user_text(post_str("name_html", true)); //Do we really not want to
    24     $team_description = process_user_text(post_str("description", true)); //scrub out bad HTML tags?
     24    $team_description = boinc_htmlentities(process_user_text(post_str("description", true))); //scrub out bad HTML tags?
    2525        $type = process_user_text(post_str("type", true));
    2626        $country = process_user_text(post_str("country", true));
    2727