diff --git a/lam/templates/help.php b/lam/templates/help.php
index 97e62938..88c18376 100644
--- a/lam/templates/help.php
+++ b/lam/templates/help.php
@@ -97,8 +97,7 @@ function displayHelp($helpEntry,$helpVariables) {
}
/* If no help number was submitted print error message */
-if(!isset($_GET['HelpNumber']))
-{
+if (!isset($_GET['HelpNumber'])) {
$errorMessage = "Sorry no help number submitted.";
echoHTMLHead();
statusMessage("ERROR","",$errorMessage);
@@ -111,16 +110,16 @@ $helpEntry = array();
// module help
if(isset($_GET['module']) && !($_GET['module'] == 'main') && !($_GET['module'] == '')) {
include_once("../lib/modules.inc");
- if(isset($_GET['scope'])) {
+ if (isset($_GET['scope'])) {
$helpEntry = getHelp($_GET['module'],$_GET['HelpNumber'],$_GET['scope']);
}
else {
$helpEntry = getHelp($_GET['module'],$_GET['HelpNumber']);
}
- if(!$helpEntry) {
+ if (!$helpEntry) {
$variables = array();
- array_push($variables,$_GET['HelpNumber']);
- array_push($variables,$_GET['module']);
+ array_push($variables, htmlspecialchars($_GET['HelpNumber']));
+ array_push($variables, htmlspecialchars($_GET['module']));
$errorMessage = _("Sorry this help id ({bold}%s{endbold}) is not available for this module ({bold}%s{endbold}).");
echoHTMLHead();
statusMessage("ERROR","",$errorMessage,$variables);
@@ -131,11 +130,10 @@ if(isset($_GET['module']) && !($_GET['module'] == 'main') && !($_GET['module'] =
// help entry in help.inc
else {
/* If submitted help number is not in help/help.inc print error message */
- if(!array_key_exists($_GET['HelpNumber'],$helpArray))
- {
+ if (!array_key_exists($_GET['HelpNumber'],$helpArray)) {
$variables = array();
- array_push($variables,$_GET['HelpNumber']);
- $errorMessage = _("Sorry this help number ({bold}%d{endbold}) is not available.");
+ array_push($variables, htmlspecialchars($_GET['HelpNumber']));
+ $errorMessage = _("Sorry this help number ({bold}%s{endbold}) is not available.");
echoHTMLHead();
statusMessage("ERROR","",$errorMessage,$variables);
echoHTMLFoot();
@@ -150,8 +148,8 @@ $i = 1;
$moreVariables = true;
$helpVariables = array();
while($moreVariables) {
- if(isset($_GET['var' . $i])) {
- array_push($helpVariables,$_GET['var' . $i]);
+ if (isset($_GET['var' . $i])) {
+ array_push($helpVariables, htmlspecialchars($_GET['var' . $i]));
$i++;
}
else {
diff --git a/lam/templates/initsuff.php b/lam/templates/initsuff.php
index 6efe8e52..a043b2dd 100644
--- a/lam/templates/initsuff.php
+++ b/lam/templates/initsuff.php
@@ -148,7 +148,7 @@ if (isset($_POST['add_suff']) || isset($_POST['cancel'])) {
if (sizeof($fail) > 0) {
// print error messages
for ($i = 0; $i < sizeof($fail); $i++) {
- StatusMessage("ERROR", _("Failed to create entry!") . "
" . $error[$i], $fail[$i]);
+ StatusMessage("ERROR", _("Failed to create entry!") . "
" . htmlspecialchars($error[$i]), htmlspecialchars($fail[$i]));
}
include 'main_footer.php';
}
diff --git a/lam/templates/massBuildAccounts.php b/lam/templates/massBuildAccounts.php
index 13068133..68a4e5c7 100644
--- a/lam/templates/massBuildAccounts.php
+++ b/lam/templates/massBuildAccounts.php
@@ -87,7 +87,8 @@ if (isset($_GET['showldif'])) {
}
include 'main_header.php';
-echo '
';
+$scope = htmlspecialchars($_POST['scope']);
+echo '
';
$selectedModules = explode(',', $_POST['selectedModules']);
if ($_FILES['inputfile'] && ($_FILES['inputfile']['size'] > 0)) {
@@ -95,7 +96,7 @@ if ($_FILES['inputfile'] && ($_FILES['inputfile']['size'] > 0)) {
$data = array(); // input values without first row
$ids = array(); // =>
// get input fields from modules
- $columns = getUploadColumns($_POST['scope'], $selectedModules);
+ $columns = getUploadColumns($scope, $selectedModules);
// read input file
$handle = fopen ($_FILES['inputfile']['tmp_name'], "r");
if (($head = fgetcsv($handle, 2000)) !== false ) { // head row
@@ -158,15 +159,15 @@ if ($_FILES['inputfile'] && ($_FILES['inputfile']['size'] > 0)) {
// if input data is invalid just display error messages (max 50)
if (sizeof($errors) > 0) {
for ($i = 0; $i < sizeof($errors); $i++) StatusMessage("ERROR", $errors[$i][0], $errors[$i][1]);
- massPrintBackButton($_POST['scope'], $selectedModules);
+ massPrintBackButton($scope, $selectedModules);
}
// let modules build accounts
else {
- $accounts = buildUploadAccounts($_POST['scope'], $data, $ids, $selectedModules);
+ $accounts = buildUploadAccounts($scope, $data, $ids, $selectedModules);
if ($accounts != false) {
- $rdnList = getRDNAttributes($_POST['scope'], $selectedModules);
- $suffix = $_SESSION['config']->get_Suffix($_POST['scope']);
+ $rdnList = getRDNAttributes($scope, $selectedModules);
+ $suffix = $_SESSION['config']->get_Suffix($scope);
// set DN
for ($i = 0; $i < sizeof($accounts); $i++) {
// check against list of possible RDN attributes
@@ -193,7 +194,7 @@ if ($_FILES['inputfile'] && ($_FILES['inputfile']['size'] > 0)) {
$_SESSION['mass_postActions'] = array();
$_SESSION['mass_data'] = $_SESSION['ldap']->encrypt(serialize($data));
$_SESSION['mass_ids'] = $ids;
- $_SESSION['mass_scope'] = $_POST['scope'];
+ $_SESSION['mass_scope'] = $scope;
$_SESSION['mass_selectedModules'] = $selectedModules;
if (isset($_SESSION['mass_pdf'])) {
unset($_SESSION['mass_pdf']);
@@ -225,13 +226,13 @@ if ($_FILES['inputfile'] && ($_FILES['inputfile']['size'] > 0)) {
}
}
else {
- massPrintBackButton($_POST['scope'], $selectedModules);
+ massPrintBackButton($scope, $selectedModules);
}
}
}
else {
StatusMessage('ERROR', _('Please provide a file to upload.'));
- massPrintBackButton($_POST['scope'], $selectedModules);
+ massPrintBackButton($scope, $selectedModules);
}
echo '
';
diff --git a/lam/templates/massDoUpload.php b/lam/templates/massDoUpload.php
index 04bc6c28..93793ae8 100644
--- a/lam/templates/massDoUpload.php
+++ b/lam/templates/massDoUpload.php
@@ -58,7 +58,8 @@ if (!isset($_SESSION['loggedIn']) || ($_SESSION['loggedIn'] !== true)) {
setlanguage();
include 'main_header.php';
-echo '
';
+$scope = htmlspecialchars($_SESSION['mass_scope']);
+echo '
';
// create accounts
$accounts = unserialize($_SESSION['ldap']->decrypt($_SESSION['mass_accounts']));
@@ -120,12 +121,12 @@ if (($_SESSION['mass_counter'] < sizeof($accounts)) || !isset($_SESSION['mass_po
// do post upload actions after all accounts are created
if ($_SESSION['mass_counter'] >= sizeof($accounts)) {
$data = unserialize($_SESSION['ldap']->decrypt($_SESSION['mass_data']));
- $return = doUploadPostActions($_SESSION['mass_scope'], $data, $_SESSION['mass_ids'], $_SESSION['mass_failed'], $_SESSION['mass_selectedModules'], $accounts);
+ $return = doUploadPostActions($scope, $data, $_SESSION['mass_ids'], $_SESSION['mass_failed'], $_SESSION['mass_selectedModules'], $accounts);
if ($return['status'] == 'finished') {
$_SESSION['mass_postActions']['finished'] = true;
}
for ($i = 0; $i < sizeof($return['errors']); $i++) $_SESSION['mass_errors'][] = $return['errors'][$i];
- echo "
" . _("Additional tasks for module:") . ' ' . getModuleAlias($return['module'], $_SESSION['mass_scope']) . "
\n";
+ echo "
" . _("Additional tasks for module:") . ' ' . getModuleAlias($return['module'], $scope) . "
\n";
?>
\n";
}
}
diff --git a/lam/templates/masscreate.php b/lam/templates/masscreate.php
index 754da198..4623eaf3 100644
--- a/lam/templates/masscreate.php
+++ b/lam/templates/masscreate.php
@@ -84,7 +84,7 @@ $types = array_values($types);
// check if account specific page should be shown
if (isset($_POST['type'])) {
// get selected type
- $scope = $_POST['type'];
+ $scope = htmlspecialchars($_POST['type']);
// get selected modules
$selectedModules = array();
$checkedBoxes = array_keys($_POST, 'on');