check input

This commit is contained in:
Roland Gruber 2018-03-12 19:48:56 +01:00
parent 0f09b6c6d9
commit 16fc7f7e86
10 changed files with 19 additions and 19 deletions

View File

@ -100,7 +100,7 @@ if (get_request('meth','REQUEST') != 'ajax') {
echo '<input type="hidden" name="cmd" value="update" />'; echo '<input type="hidden" name="cmd" value="update" />';
printf('<input type="hidden" name="server_id" value="%s" />',$app['server']->getIndex()); printf('<input type="hidden" name="server_id" value="%s" />',$app['server']->getIndex());
printf('<input type="hidden" name="dn" value="%s" />',$request['dn']); printf('<input type="hidden" name="dn" value="%s" />',htmlspecialchars($request['dn']));
echo '<input type="hidden" name="binary" value="true" />'; echo '<input type="hidden" name="binary" value="true" />';
echo '<select name="single_item_attr">'; echo '<select name="single_item_attr">';

View File

@ -57,7 +57,7 @@ foreach ($ldap['attrs']['need'] as $index => $values)
$ldap['attrs']['need'][$index]->show(); $ldap['attrs']['need'][$index]->show();
if (count($ldap['attrs']['need']) > 0) { if (count($ldap['attrs']['need']) > 0) {
$request['page']->drawTitle(sprintf(_('Add new object class to <b>%s</b>'),get_rdn($request['dn']))); $request['page']->drawTitle(sprintf(_('Add new object class to <b>%s</b>'),htmlspecialchars(get_rdn($request['dn']))));
$request['page']->drawSubTitle(); $request['page']->drawSubTitle();
echo '<div style="text-align: center">'; echo '<div style="text-align: center">';

View File

@ -25,12 +25,12 @@ $request['page']->setDN($request['dn']);
$request['page']->accept(); $request['page']->accept();
# Render the form # Render the form
$request['page']->drawTitle(sprintf(_('Compare another DN with <b>%s</b>'),get_rdn($request['dn']))); $request['page']->drawTitle(sprintf(_('Compare another DN with <b>%s</b>'),htmlspecialchars(get_rdn($request['dn']))));
$request['page']->drawSubTitle(); $request['page']->drawSubTitle();
printf('<script type="text/javascript" src="%sdnChooserPopup.js"></script>',JSDIR); printf('<script type="text/javascript" src="%sdnChooserPopup.js"></script>',JSDIR);
echo '<div style="text-align: center;">'; echo '<div style="text-align: center;">';
printf('%s <b>%s</b> %s<br />',_('Compare'),get_rdn($request['dn']),_('with ')); printf('%s <b>%s</b> %s<br />',_('Compare'),htmlspecialchars(get_rdn($request['dn'])),_('with '));
echo '</div>'; echo '</div>';
echo '<form action="cmd.php" method="post" id="compare_form">'; echo '<form action="cmd.php" method="post" id="compare_form">';

View File

@ -24,12 +24,12 @@ $request['page']->setDN($request['dn']);
$request['page']->accept(); $request['page']->accept();
# Render the form # Render the form
$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Copy'),get_rdn($request['dn']))); $request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Copy'),htmlspecialchars(get_rdn($request['dn']))));
$request['page']->drawSubTitle(); $request['page']->drawSubTitle();
printf('<script type="text/javascript" src="%sdnChooserPopup.js"></script>',JSDIR); printf('<script type="text/javascript" src="%sdnChooserPopup.js"></script>',JSDIR);
echo '<div style="text-align: center;">'; echo '<div style="text-align: center;">';
printf(_('Copy <b>%s</b> to a new object.') . '<br /><br />',get_rdn($request['dn'])); printf(_('Copy <b>%s</b> to a new object.') . '<br /><br />',htmlspecialchars(get_rdn($request['dn'])));
echo '</div>'; echo '</div>';
echo '<form action="cmd.php" method="post" id="copy_form">'; echo '<form action="cmd.php" method="post" id="copy_form">';

View File

@ -29,12 +29,12 @@ if ($result) {
system_message(array( system_message(array(
'title'=>_('Delete DN'), 'title'=>_('Delete DN'),
'body'=>sprintf('<b>' . _('Successfully deleted DN %s') . '</b>',$request['dn']), 'body'=>sprintf('<b>' . _('Successfully deleted DN %s') . '</b>',htmlspecialchars($request['dn'])),
'type'=>'info'), 'type'=>'info'),
sprintf('index.php?server_id=%s%s',$app['server']->getIndex(),$redirect_url)); sprintf('index.php?server_id=%s%s',$app['server']->getIndex(),$redirect_url));
} else } else
system_message(array( system_message(array(
'title'=>_('Could not delete the entry.').sprintf(' (%s)',pretty_print_dn($request['dn'])), 'title'=>_('Could not delete the entry.').sprintf(' (%s)',htmlspecialchars(pretty_print_dn($request['dn']))),
'body'=>ldap_error_msg($app['server']->getErrorMessage(null),$app['server']->getErrorNum(null)), 'body'=>ldap_error_msg($app['server']->getErrorMessage(null),$app['server']->getErrorNum(null)),
'type'=>'error')); 'type'=>'error'));
?> ?>

View File

@ -24,15 +24,15 @@ $request['template'] = $request['page']->getTemplate();
if (! $request['dn'] || ! $app['server']->dnExists($request['dn'])) if (! $request['dn'] || ! $app['server']->dnExists($request['dn']))
system_message(array( system_message(array(
'title'=>_('Entry does not exist'), 'title'=>_('Entry does not exist'),
'body'=>sprintf(_('The entry (%s) does not exist.'),$request['dn']), 'body'=>sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),
'type'=>'error'),'index.php'); 'type'=>'error'),'index.php');
# We search all children, not only the visible children in the tree # We search all children, not only the visible children in the tree
$request['children'] = $app['server']->getContainerContents($request['dn'],null,0,'(objectClass=*)',LDAP_DEREF_NEVER); $request['children'] = $app['server']->getContainerContents($request['dn'],null,0,'(objectClass=*)',LDAP_DEREF_NEVER);
printf('<h3 class="title">%s %s</h3>',_('Delete'),htmlspecialchars(get_rdn($request['dn']))); printf('<h3 class="title">%s %s</h3>',_('Delete'),htmlspecialchars(htmlspecialchars(get_rdn($request['dn']))));
printf('<h3 class="subtitle">%s: <b>%s</b></h3>', printf('<h3 class="subtitle">%s: <b>%s</b></h3>',
_('DN'),$request['dn']); _('DN'),htmlspecialchars($request['dn']));
echo "\n"; echo "\n";
echo '<center>'; echo '<center>';
@ -109,7 +109,7 @@ if (count($request['children'])) {
printf('<tr><td style="width: 10%%;">%s:</td><td colspan="3" style="width: 75%%;"><b>%s</b></td></tr>',_('Server'),$app['server']->getName()); printf('<tr><td style="width: 10%%;">%s:</td><td colspan="3" style="width: 75%%;"><b>%s</b></td></tr>',_('Server'),$app['server']->getName());
printf('<tr><td style="width: 10%%;"><acronym title="%s">%s</acronym></td><td colspan="3" style="width: 75%%;"><b>%s</b></td></tr>', printf('<tr><td style="width: 10%%;"><acronym title="%s">%s</acronym></td><td colspan="3" style="width: 75%%;"><b>%s</b></td></tr>',
_('DN'),_('DN'),$request['dn']); _('DN'),_('DN'),htmlspecialchars($request['dn']));
echo '<tr><td colspan="4">&nbsp;</td></tr>'; echo '<tr><td colspan="4">&nbsp;</td></tr>';
echo "\n"; echo "\n";

View File

@ -54,7 +54,7 @@ foreach ($app['server']->getBaseDN() as $base) {
usort($possible_values,'pla_compare_dns'); usort($possible_values,'pla_compare_dns');
$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Modify group'),get_rdn($request['dn']))); $request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Modify group'),htmlspecialchars(get_rdn($request['dn']))));
$request['page']->drawSubTitle(); $request['page']->drawSubTitle();
printf(_('There are <b>%s</b> members in group <b>%s</b>:'), printf(_('There are <b>%s</b> members in group <b>%s</b>:'),

View File

@ -44,7 +44,7 @@ foreach ($request['parent'] as $dn) {
} else { } else {
system_message(array( system_message(array(
'title'=>_('Could not delete the entry.').sprintf(' (%s)',pretty_print_dn($request['dn'])), 'title'=>_('Could not delete the entry.').sprintf(' (%s)',pretty_print_dn(htmlspecialchars($request['dn']))),
'body'=>ldap_error_msg($app['server']->getErrorMessage(null),$app['server']->getErrorNum(null)), 'body'=>ldap_error_msg($app['server']->getErrorMessage(null),$app['server']->getErrorNum(null)),
'type'=>'error')); 'type'=>'error'));
} }

View File

@ -21,17 +21,17 @@ $request['page']->setDN($request['dn']);
$request['page']->accept(); $request['page']->accept();
# Render the form # Render the form
$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Rename'),get_rdn($request['dn']))); $request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Rename'),htmlspecialchars(get_rdn($request['dn']))));
$request['page']->drawSubTitle(); $request['page']->drawSubTitle();
echo '<center>'; echo '<center>';
printf(_('Rename <b>%s</b> to a new object.') . '<br /><br />',get_rdn($request['dn'])); printf(_('Rename <b>%s</b> to a new object.') . '<br /><br />',htmlspecialchars(get_rdn($request['dn'])));
echo '<form action="cmd.php?cmd=rename" method="post" />'; echo '<form action="cmd.php?cmd=rename" method="post" />';
printf('<input type="hidden" name="server_id" value="%s" />',$app['server']->getIndex()); printf('<input type="hidden" name="server_id" value="%s" />',$app['server']->getIndex());
printf('<input type="hidden" name="dn" value="%s" />',rawurlencode($request['dn'])); printf('<input type="hidden" name="dn" value="%s" />',rawurlencode($request['dn']));
printf('<input type="hidden" name="template" value="%s" />',$request['template']); printf('<input type="hidden" name="template" value="%s" />',htmlspecialchars($request['template']));
printf('<input type="text" name="new_rdn" size="30" value="%s" />',get_rdn($request['dn'])); printf('<input type="text" name="new_rdn" size="30" value="%s" />',htmlspecialchars(get_rdn($request['dn'])));
printf('<input type="submit" value="%s" />',_('Rename')); printf('<input type="submit" value="%s" />',_('Rename'));
echo '</form>'; echo '</form>';

View File

@ -18,7 +18,7 @@ $request['dn'] = get_request('dn','GET');
$request['attr'] = strtolower(get_request('attr','GET',false,'jpegphoto')); $request['attr'] = strtolower(get_request('attr','GET',false,'jpegphoto'));
$request['index'] = get_request('index','GET',false,0); $request['index'] = get_request('index','GET',false,0);
$request['type'] = get_request('type','GET',false,'image/jpeg'); $request['type'] = get_request('type','GET',false,'image/jpeg');
$request['filename'] = get_request('filename','GET',false,sprintf('%s.jpg',get_rdn($request['dn'],true))); $request['filename'] = get_request('filename','GET',false,sprintf('%s.jpg',htmlspecialchars(get_rdn($request['dn'],true))));
$request['location'] = get_request('location','GET',false,'ldap'); $request['location'] = get_request('location','GET',false,'ldap');
switch ($request['location']) { switch ($request['location']) {