diff --git a/ihtml/themes/breezy/framework.tpl b/ihtml/themes/breezy/framework.tpl
index 88bde8e1bdfc3eb6fd16e7b1ac3d16045f80a398..9b039f79826cee49caa09a19c1f72831e4d0287e 100644
--- a/ihtml/themes/breezy/framework.tpl
+++ b/ihtml/themes/breezy/framework.tpl
@@ -15,7 +15,7 @@
<img src="geticon.php?context=actions&icon=application-exit&size=22" alt=""/> {t}Sign out{/t}
</a>
<a class="plugtop">
- <img src="{$headline_image|escape}" alt=""/>{t}{$headline|escape}{/t}
+ <img src="{$headline_image|escape}" alt=""/>{$headline|escape}
</a>
</div>
<div id="header-right">
diff --git a/ihtml/themes/breezy/login.tpl b/ihtml/themes/breezy/login.tpl
index 4fc417281fa421dc3b0da53972397385fbd9f9b3..ecbcb401b39f3672f850b6ee60a8999558763596 100644
--- a/ihtml/themes/breezy/login.tpl
+++ b/ihtml/themes/breezy/login.tpl
@@ -61,7 +61,7 @@
<div id="window-footer" class="plugbottom">
<div>
<!-- Display error message on demand -->
- {$message}
+ {$message|escape}
</div>
<div>
<input type="submit" name="login" value="{t}Sign in{/t}" title="{t}Click here to log in{/t}"/>
diff --git a/ihtml/themes/breezy/management/filter-element-date.tpl b/ihtml/themes/breezy/management/filter-element-date.tpl
index 74d7bf65bdfe6e13e00fa83d8e7142f886435bee..4a153f1c7803cb4b33eccdf116a44d21d7578f5e 100644
--- a/ihtml/themes/breezy/management/filter-element-date.tpl
+++ b/ihtml/themes/breezy/management/filter-element-date.tpl
@@ -1,4 +1,4 @@
-<fieldset><legend>{$NAME}</legend>
+<fieldset><legend>{$NAME|escape}</legend>
<label for="nt_{$attribute}" title="{t 1=$NAME}Minimum date for %1{/t}">
{t}Newer than{/t}
<input type="date" id="nt_{$attribute}" name="nt_{$attribute}" value="{$nt_value}"/>
diff --git a/ihtml/themes/breezy/management/filter-element-fixed.tpl b/ihtml/themes/breezy/management/filter-element-fixed.tpl
index 9123f636764e51aae1192933d31bca7d4680cef5..134d2285c4d91aa86dd3afdddd5050cd8af2df94 100644
--- a/ihtml/themes/breezy/management/filter-element-fixed.tpl
+++ b/ihtml/themes/breezy/management/filter-element-fixed.tpl
@@ -1,4 +1,4 @@
-<fieldset><legend>{$NAME}</legend>
+<fieldset><legend>{$NAME|escape}</legend>
{foreach from=$INPUTS key="key" item="input"}
<label title="{$input.desc|escape}">
{if isset($input.icon)}
diff --git a/ihtml/themes/breezy/management/filter-element.tpl b/ihtml/themes/breezy/management/filter-element.tpl
index 152e0c9fc4772781a42412718c29042f775847b5..c0aa75438644767a2b196f8f77a4842c1a129c53 100644
--- a/ihtml/themes/breezy/management/filter-element.tpl
+++ b/ihtml/themes/breezy/management/filter-element.tpl
@@ -1,4 +1,4 @@
-<fieldset><legend>{$NAME}</legend>
+<fieldset><legend>{$NAME|escape}</legend>
{foreach from=$INPUTS key="key" item="input"}
<label for="{$key}" title="{$input.desc|escape}">
<input type="checkbox" id="{$key}" name="{$key}" value="1"
diff --git a/ihtml/themes/breezy/management/management.tpl b/ihtml/themes/breezy/management/management.tpl
index 71c3ddf3088964667fef10fba7d4c7f94d0c5975..16d68f8bd947df9bb375c4bd49c3536fdbae8906 100644
--- a/ihtml/themes/breezy/management/management.tpl
+++ b/ihtml/themes/breezy/management/management.tpl
@@ -3,7 +3,7 @@
<tr>
<td class="list">
<div class="contentboxh">
- <p class="contentboxh"> {$HEADLINE} {$SIZELIMIT}</p>
+ <p class="contentboxh"> {$HEADLINE|escape} {$SIZELIMIT}</p>
</div>
<div class="contentboxb">
@@ -14,9 +14,9 @@
<td class="{$action.class}">
{if $action.enabled}
<input type="image" src="{$action.icon|escape}"
- name="{$action.id}" title="{$action.desc}" alt="{$action.name}"/>
+ name="{$action.id}" title="{$action.desc|escape}" alt="{$action.name|escape}"/>
{else}
- <img src="{$action.icon|escape}&disabled=1" alt="{$action.name}"/>
+ <img src="{$action.icon|escape}&disabled=1" alt="{$action.name|escape}"/>
{/if}
</td>
{/foreach}
diff --git a/ihtml/themes/breezy/msg_dialog.tpl b/ihtml/themes/breezy/msg_dialog.tpl
index 4dbf6a6b5e41cdeed89d6394f9533aa8295d81ae..9f2d7d6147a2fe816671af166ace3715bb5b2b80 100644
--- a/ihtml/themes/breezy/msg_dialog.tpl
+++ b/ihtml/themes/breezy/msg_dialog.tpl
@@ -23,7 +23,7 @@
{elseif $dialog.type == $smarty.const.INFO_DIALOG || $dialog.type == $smarty.const.CONFIRM_DIALOG}
<img src="geticon.php?context=status&icon=dialog-information&size=32" class="center" alt="{t}Information{/t}"/>
{/if}
- {$dialog.title}
+ {$dialog.title|escape}
</p>
</div>
diff --git a/ihtml/themes/breezy/sizelimit.tpl b/ihtml/themes/breezy/sizelimit.tpl
index 7f61e5f1c8fb8f3f3020f264699123f624808dec..273dc5364ca32bc95bc3e4df4553b8c2f7fd4056 100644
--- a/ihtml/themes/breezy/sizelimit.tpl
+++ b/ihtml/themes/breezy/sizelimit.tpl
@@ -1,9 +1,9 @@
-<h1>{$warning}</h1>
+<h1>{$warning|escape}</h1>
<p>
{t}The size limit option makes LDAP operations faster and saves the LDAP server from getting too much load. The easiest way to handle big databases without long timeouts would be to limit your search to smaller values and use filters to get the entries you are looking for.{/t}
</p>
<p>
- <b>{t}Please choose the way to react for this session{/t}:</b>
+ <b>{t}Please choose the way to react for this session:{/t}</b>
</p>
<input type="radio" name="action" value="ignore" id="ignore"/>
@@ -11,7 +11,7 @@
<input type="radio" name="action" value="limited" checked="checked" id="limited"/>
<label for="limited">{t}ignore this error and show all entries that fit into the defined sizelimit and let me use filters instead{/t}</label><br/>
<input type="radio" name="action" value="newlimit" id="newlimit"/>
- {$limit_message}
+ {$limit_message|escape}
<p class="plugbottom">
<input type=submit name="set_size_action" value="{t}Set{/t}"/>
diff --git a/ihtml/themes/legacy/login.tpl b/ihtml/themes/legacy/login.tpl
index ffea8967067db8a6f9aefb4bf8967480b34cd592..b3de6c82e356e11fdb77f4e58990e4508a28a1c3 100644
--- a/ihtml/themes/legacy/login.tpl
+++ b/ihtml/themes/legacy/login.tpl
@@ -61,7 +61,7 @@
<div id="window-footer" class="plugbottom">
<div>
<!-- Display error message on demand -->
- {$message}
+ {$message|escape}
</div>
<div>
<input type="submit" name="login" value="{t}Sign in{/t}" title="{t}Click here to log in{/t}"/>
diff --git a/include/class_ldapSizeLimit.inc b/include/class_ldapSizeLimit.inc
index 198bc409dca44050ff37951910f368ac83700de7..3d8c6000ad8d4850e5d4b64f082a617a7e943a68 100644
--- a/include/class_ldapSizeLimit.inc
+++ b/include/class_ldapSizeLimit.inc
@@ -127,13 +127,9 @@ class ldapSizeLimit
*/
function renderWarning ()
{
- if (($this->sizeLimit >= 10000000) || $this->limitExceeded) {
- $config = '<input type="submit" name="edit_sizelimit" value="'._('Configure').'" formnovalidate="formnovalidate"/>';
- } else {
- $config = '';
- }
if ($this->limitExceeded) {
- return '('._('incomplete').") $config";
+ $config = '<input type="submit" name="edit_sizelimit" value="'.htmlescape(_('Configure')).'" formnovalidate="formnovalidate"/>';
+ return '('.htmlescape(_('incomplete')).') '.$config;
}
return '';
}
diff --git a/include/class_logging.inc b/include/class_logging.inc
index a3a111dbe087b5e45c8d7ea1d8525f74d9ab0e53..9feccb6c00cc879558bb7a939f8f68826a45d42b 100644
--- a/include/class_logging.inc
+++ b/include/class_logging.inc
@@ -210,9 +210,9 @@ class logging
$baseObject->fdAuditAttributes = $entry['changes'];
$baseObject->fdAuditResult = $entry['result'];
$baseObject->base = $config->current['BASE'];
- $message = $tabObject->save();
- if (!empty($message)) {
- msg_dialog::displayChecks($message);
+ $errors = $tabObject->save();
+ if (!empty($errors)) {
+ msg_dialog::displayChecks($errors);
}
} catch (FusionDirectoryException $e) {
msg_dialog::display(_('Error'), sprintf(_('Failed to log event (%s - %s): %s'), $entry['action'], $entry['objecttype'], $e->getMessage()), ERROR_DIALOG);
diff --git a/include/class_msg_dialog.inc b/include/class_msg_dialog.inc
index 4ffc80ce326c4119844babf277740d70d5c08606..c06cdd6d6722b621e3a1031f453f767bf173eace 100644
--- a/include/class_msg_dialog.inc
+++ b/include/class_msg_dialog.inc
@@ -46,9 +46,9 @@ class msg_dialog
/*!
* \brief Message dialog constructor
*
- * \param string $title The title of the message dialog
+ * \param string $title The title of the message dialog (plain string)
*
- * \param string $message The message of the message dialog
+ * \param string $message The message of the message dialog (HTML)
*
* \param int $type The type of the message dialog, by default = INFO_DIALOG
*
@@ -168,8 +168,7 @@ class msg_dialog
global $config;
$display =
- '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
- "http://www.w3.org/TR/html4/transitional.dtd">
+ '<!DOCTYPE html>
<html><head>
<title>FusionDirectory startup failed</title>
</head><body>';
@@ -182,12 +181,12 @@ class msg_dialog
'<table style="width:100%; border:2px solid red;">
<tr>
<td style="vertical-align:top;padding:10px">
- <img src="geticon.php?context=status&icon=dialog-error&size=32" alt="'._('Error').'"/>
+ <img src="geticon.php?context=status&icon=dialog-error&size=32" alt="'.htmlescape(_('Error')).'"/>
</td>
<td style="width:100%">
- <b>'.$this->s_Title.'</b><br/>
- '.$this->s_Message.'<br><br/>
- '._('Please fix the above error and reload the page.').'
+ <b>'.htmlescape($this->s_Title).'</b><br/>
+ '.$this->s_Message.'<br/><br/>
+ '.htmlescape(_('Please fix the above error and reload the page.')).'
</td>
</tr>
</table></body></html>';
diff --git a/include/class_pluglist.inc b/include/class_pluglist.inc
index 0a80246f08d5ffedf6459dedf8fb6237544b42e2..d468eff0480e15ea642ad95c87346448e7706fab 100644
--- a/include/class_pluglist.inc
+++ b/include/class_pluglist.inc
@@ -377,12 +377,12 @@ class pluglist
}
$entries .= '<li class="menuitem" id="menuitem_'.$id.'">';
- $entries .= '<a href="'.$href.'" title="'.$plDescription.'">'.$plHeadline.'</a></li>'."\n";
+ $entries .= '<a href="'.$href.'" title="'.htmlescape($plDescription).'">'.htmlescape($plHeadline).'</a></li>'."\n";
}
/* Append to menu */
if ($entries != "") {
- $this->menu .= '<li><a>'.$section_infos['NAME']."</a>\n<ul>\n".$entries."\n</ul></li>\n";
+ $this->menu .= '<li><a>'.htmlescape($section_infos['NAME'])."</a>\n<ul>\n".$entries."\n</ul></li>\n";
}
}
$this->menu .= '</ul>'."\n";
@@ -420,7 +420,7 @@ class pluglist
foreach ($config->data['SECTIONS'] as $section => $section_infos) {
$entries = '';
$sectionMenu = '<div class="iconmenu-section"><h1 class="menuheader">';
- $sectionMenu .= $section_infos['NAME']."</h1>\n";
+ $sectionMenu .= htmlescape($section_infos['NAME'])."</h1>\n";
foreach ($config->data['MENU'][$section] as $info) {
if (!$this->check_access($info)) {
diff --git a/include/login/class_LoginCAS.inc b/include/login/class_LoginCAS.inc
index 98a8386288cedb7f92401ec7568637c2b5bd9279..8d87d6f017a86fcb54e0d41229a054a138c63c68 100644
--- a/include/login/class_LoginCAS.inc
+++ b/include/login/class_LoginCAS.inc
@@ -100,11 +100,11 @@ class LoginCAS extends LoginMethod
if (!empty($message)) {
msg_dialog::display(
_('Error'),
- sprintf(
+ htmlescape(sprintf(
_('Login with user "%s" triggered error: %s'),
static::$username,
$message
- ),
+ )),
FATAL_ERROR_DIALOG
);
}
diff --git a/include/login/class_LoginHTTPHeader.inc b/include/login/class_LoginHTTPHeader.inc
index 6b45ec330b73e34695ccc56b28a37590242d3ca0..30cdd15f5152931c3ebd53d536cd8c2200bd9ce8 100644
--- a/include/login/class_LoginHTTPHeader.inc
+++ b/include/login/class_LoginHTTPHeader.inc
@@ -96,11 +96,11 @@ class LoginHTTPHeader extends LoginMethod
if (!empty($message)) {
msg_dialog::display(
_('Error'),
- sprintf(
+ htmlescape(sprintf(
_('Login with user "%s" triggered error: %s'),
static::$username,
$message
- ),
+ )),
FATAL_ERROR_DIALOG
);
}
diff --git a/include/simpleplugin/class_multiPlugin.inc b/include/simpleplugin/class_multiPlugin.inc
index 9e3ba393e44d8427f61f93fc929e2e669c06fa43..85b31d008236092d93c19b5a68e21e696ad9080b 100644
--- a/include/simpleplugin/class_multiPlugin.inc
+++ b/include/simpleplugin/class_multiPlugin.inc
@@ -134,17 +134,17 @@ class multiPlugin extends simplePlugin
function check (): array
{
- $message = parent::check();
+ $errors = parent::check();
foreach ($this->plugin as &$plug) {
if ($plug->isActive()) {
- $tmp = $plug->check();
- $message = array_merge($message, $tmp);
+ $tmp = $plug->check();
+ $errors = array_merge($errors, $tmp);
}
}
unset($plug);
- return $message;
+ return $errors;
}
function set_acl_category (string $cat)
diff --git a/include/simpleplugin/class_simplePlugin.inc b/include/simpleplugin/class_simplePlugin.inc
index f4b7b5e6523ccf976e4d07c6521ab9a34e46e6b1..3beb1508157fea88b0c2e7cb910fb78e6cd658c7 100644
--- a/include/simpleplugin/class_simplePlugin.inc
+++ b/include/simpleplugin/class_simplePlugin.inc
@@ -2239,18 +2239,18 @@ class simplePlugin implements SimpleTab
/* save changes to LDAP and disable edit mode */
if (isset($_POST['edit_finish'])) {
/* Perform checks */
- $message = $tabObject->save();
+ $errors = $tabObject->save();
/* No errors, save object */
- if (count($message) == 0) {
+ if (count($errors) == 0) {
del_lock($entry_dn);
session::un_set('edit');
/* Remove from session */
session::un_set($classname);
} else {
- /* Errors found, show message */
- msg_dialog::displayChecks($message);
+ /* Errors found, show errors */
+ msg_dialog::displayChecks($errors);
}
}
}
diff --git a/plugins/admin/aclrole/acleditiondialog.tpl b/plugins/admin/aclrole/acleditiondialog.tpl
index 36174c6ee53ae03145d520f1a619fff21a19cee1..8ac0384b3cbbcbc2f4702f705e041a5e2a113be3 100644
--- a/plugins/admin/aclrole/acleditiondialog.tpl
+++ b/plugins/admin/aclrole/acleditiondialog.tpl
@@ -1,4 +1,4 @@
- <h1>{$headline}</h1>
+ <h1>{$headline|escape}</h1>
{$aclEdition}
{if $dialogState eq 'create'}
diff --git a/plugins/admin/departments/class_department.inc b/plugins/admin/departments/class_department.inc
index 5ab4a8815f5e1fbd9093d025cb95bcc195b83492..25fed2e6d81863dffc0767f439047943aa60a547 100644
--- a/plugins/admin/departments/class_department.inc
+++ b/plugins/admin/departments/class_department.inc
@@ -162,18 +162,18 @@ class department extends simplePlugin
/* Check values */
function check (): array
{
- $message = parent::check();
+ $errors = parent::check();
$namingAttr = static::$namingAttr;
if (($namingAttr == 'ou') && tests::is_department_name_reserved($this->$namingAttr)) {
- $message[] = new SimplePluginCheckError(
+ $errors[] = new SimplePluginCheckError(
$this,
htmlescape(msgPool::reserved(_('Name')))
);
}
- return $message;
+ return $errors;
}
function get_allowed_bases (): array
diff --git a/plugins/admin/groups/class_ogroup.inc b/plugins/admin/groups/class_ogroup.inc
index 094598b3b9ba68901bcc21e1a644a675c4d048e6..7aa7ec6203543f9994b5842d99639db8fbc6cd8a 100644
--- a/plugins/admin/groups/class_ogroup.inc
+++ b/plugins/admin/groups/class_ogroup.inc
@@ -245,16 +245,16 @@ class ogroup extends simplePlugin
function check (): array
{
- $message = parent::check();
+ $errors = parent::check();
$this->reload();
if (preg_match('/W/', $this->gosaGroupObjects) && preg_match('/T/', $this->gosaGroupObjects)) {
- $message[] = new SimplePluginCheckError(
+ $errors[] = new SimplePluginCheckError(
$this,
htmlescape(_('Putting both workstations and terminals in the same group is not allowed'))
);
}
- return $message;
+ return $errors;
}
function ldap_save (): array
diff --git a/setup/setup_frame.tpl b/setup/setup_frame.tpl
index ba450cb00725335e0196c6703948a0f799b36a7a..6016c45be7be54fff61e262b67ec4906aea2b85c 100644
--- a/setup/setup_frame.tpl
+++ b/setup/setup_frame.tpl
@@ -6,7 +6,7 @@
<div id="header-left">
<img id="fd-logo" class="optional" src="geticon.php?context=applications&icon=fusiondirectory&size=48" alt="FusionDirectory logo"/>
<a class="plugtop">
- <img src="{$headline_image|escape}" alt=""/>{t}{$headline}{/t}
+ <img src="{$headline_image|escape}" alt=""/>{$headline|escape}
</a>
</div>
<div id="header-right">