From d0eeba71e90fc6932fd7a0ef567fa69e151c2922 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come.chilliet@fusiondirectory.org>
Date: Wed, 10 Jun 2020 17:12:16 +0200
Subject: [PATCH] :sparkles: feat(core) Fix various cases of HTML escaping
msgPool always returns escaped string because it may be used from
smarty.
htmlescape now calls htmlspecialchars instead of htmlentities, allowing
to escape strings with % without losing sprintf capability.
issue #6071
---
ihtml/themes/breezy/copynotice.tpl | 2 +-
ihtml/themes/breezy/login.tpl | 2 +-
ihtml/themes/legacy/login.tpl | 2 +-
include/class_logging.inc | 6 +-
include/class_msgPool.inc | 130 +++++++++---------
include/class_passwordRecovery.inc | 2 +-
include/class_pluglist.inc | 2 +-
include/class_standAlonePage.inc | 13 +-
include/functions.inc | 8 ++
include/login/class_LoginMethod.inc | 12 +-
include/login/class_LoginPost.inc | 8 +-
include/php_setup.inc | 4 +-
.../admin/departments/class_department.inc | 2 +-
plugins/generic/welcome/main.inc | 7 +-
14 files changed, 104 insertions(+), 96 deletions(-)
diff --git a/ihtml/themes/breezy/copynotice.tpl b/ihtml/themes/breezy/copynotice.tpl
index f6651b5c4..091f6a8f1 100644
--- a/ihtml/themes/breezy/copynotice.tpl
+++ b/ihtml/themes/breezy/copynotice.tpl
@@ -1,3 +1,3 @@
<div class="copynotice">
- {t escape=no 1=$year 2=$revision}© 2002-%1 <a href="http://www.fusiondirectory.org">The FusionDirectory team, %2</a>{/t}
+ {$copynotice}
</div>
diff --git a/ihtml/themes/breezy/login.tpl b/ihtml/themes/breezy/login.tpl
index ecbcb401b..25f4d9cf7 100644
--- a/ihtml/themes/breezy/login.tpl
+++ b/ihtml/themes/breezy/login.tpl
@@ -21,7 +21,7 @@
<div class="optional">
{t}Please use your username and your password to log into the site administration system.{/t}<br />
{if $ssl}<span class="warning">{$ssl}</span>{/if}
- {if $lifetime}<span class="warning">{$lifetime}</span>{/if}
+ {if $lifetime}<span class="warning">{$lifetime|escape}</span>{/if}
</div>
<div>
diff --git a/ihtml/themes/legacy/login.tpl b/ihtml/themes/legacy/login.tpl
index b3de6c82e..349b312d3 100644
--- a/ihtml/themes/legacy/login.tpl
+++ b/ihtml/themes/legacy/login.tpl
@@ -21,7 +21,7 @@
<div class="optional">
{t}Please use your username and your password to log into the site administration system.{/t}<br />
{if $ssl}<span class="warning">{$ssl}</span>{/if}
- {if $lifetime}<span class="warning">{$lifetime}</span>{/if}
+ {if $lifetime}<span class="warning">{$lifetime|escape}</span>{/if}
</div>
<div>
diff --git a/include/class_logging.inc b/include/class_logging.inc
index 9feccb6c0..3bd5f3062 100644
--- a/include/class_logging.inc
+++ b/include/class_logging.inc
@@ -215,7 +215,11 @@ class logging
msg_dialog::displayChecks($errors);
}
} catch (FusionDirectoryException $e) {
- msg_dialog::display(_('Error'), sprintf(_('Failed to log event (%s - %s): %s'), $entry['action'], $entry['objecttype'], $e->getMessage()), ERROR_DIALOG);
+ msg_dialog::display(
+ _('Error'),
+ htmlescape(sprintf(_('Failed to log event (%s - %s): %s'), $entry['action'], $entry['objecttype'], $e->getMessage())),
+ ERROR_DIALOG
+ );
}
}
}
diff --git a/include/class_msgPool.inc b/include/class_msgPool.inc
index b190af7ad..02b01fca1 100644
--- a/include/class_msgPool.inc
+++ b/include/class_msgPool.inc
@@ -44,18 +44,18 @@ class msgPool
public static function permDelete ($name = '')
{
if ($name == '') {
- return _('You have no permission to delete this object!');
+ return htmlescape(_('You have no permission to delete this object!'));
}
if (!is_array($name)) {
- return _('You have no permission to delete the object:')."<br/><br/><i>$name</i>";
+ return htmlescape(_('You have no permission to delete the object:'))."<br/><br/><i>$name</i>";
}
if (count($name) == 1) {
- return _('You have no permission to delete the object:').'<br/>'.msgPool::buildList($name);
+ return htmlescape(_('You have no permission to delete the object:')).'<br/>'.msgPool::buildList($name);
}
- return _('You have no permission to delete these objects:').'<br/>'.msgPool::buildList($name);
+ return htmlescape(_('You have no permission to delete these objects:')).'<br/>'.msgPool::buildList($name);
}
/*!
@@ -66,18 +66,18 @@ class msgPool
public static function permCreate ($name = '')
{
if ($name == '') {
- return _('You have no permission to create this object!');
+ return htmlescape(_('You have no permission to create this object!'));
}
if (!is_array($name)) {
- return _('You have no permission to create the object:')."<br/><br/><i>$name</i>";
+ return htmlescape(_('You have no permission to create the object:')).'<br/><br/><i>'.htmlescape($name).'</i>';
}
if (count($name) == 1) {
- return _('You have no permission to create the object:').'<br/>'.msgPool::buildList($name);
+ return htmlescape(_('You have no permission to create the object:')).'<br/>'.msgPool::buildList($name);
}
- return _('You have no permission to create these objects:').'<br/>'.msgPool::buildList($name);
+ return htmlescape(_('You have no permission to create these objects:')).'<br/>'.msgPool::buildList($name);
}
/*!
@@ -89,22 +89,22 @@ class msgPool
public static function permModify ($name = '', $field = '')
{
if ($name == '') {
- return _('You have no permission to modify this object!');
+ return htmlescape(_('You have no permission to modify this object!'));
}
if (!is_array($name)) {
if ($field != '') {
- return sprintf(_('You have no permission to modify the field "%s" of object "%s"'), $field, $name);
+ return htmlescape(sprintf(_('You have no permission to modify the field "%s" of object "%s"'), $field, $name));
} else {
- return sprintf(_('You have no permission to modify the object:<br/>%s'), '<br/><i>'.$name.'</i>');
+ return sprintf(htmlescape(_('You have no permission to modify the object:%s')), '<br/><br/><i>'.htmlescape($name).'</i>');
}
}
if (count($name) == 1) {
- return sprintf(_('You have no permission to modify the object:<br/>%s'), msgPool::buildList($name));
+ return sprintf(htmlescape(_('You have no permission to modify the object:%s')), '<br/>'.msgPool::buildList($name));
}
- return sprintf(_('You have no permission to modify these objects:<br/>%s'), msgPool::buildList($name));
+ return sprintf(htmlescape(_('You have no permission to modify these objects:%s')), '<br/>'.msgPool::buildList($name));
}
/*!
@@ -115,18 +115,18 @@ class msgPool
public static function permView ($name = '')
{
if ($name == '') {
- return _('You have no permission to view this object!');
+ return htmlescape(_('You have no permission to view this object!'));
}
if (!is_array($name)) {
- return _('You have no permission to view the object:')."<br/><br/><i>$name</i>";
+ return htmlescape(_('You have no permission to view the object:'))."<br/><br/><i>".htmlescape($name)."</i>";
}
if (count($name) == 1) {
- return _('You have no permission to view the object:').'<br/>'.msgPool::buildList($name);
+ return htmlescape(_('You have no permission to view the object:')).'<br/>'.msgPool::buildList($name);
}
- return _('You have no permission to view these objects:').'<br/>'.msgPool::buildList($name);
+ return htmlescape(_('You have no permission to view these objects:')).'<br/>'.msgPool::buildList($name);
}
/*!
@@ -137,18 +137,18 @@ class msgPool
public static function permMove ($name = '')
{
if ($name == '') {
- return _('You have no permission to move this object!');
+ return htmlescape(_('You have no permission to move this object!'));
}
if (!is_array($name)) {
- return _('You have no permission to move the object:')."<br/><br/><i>$name</i>";
+ return htmlescape(_('You have no permission to move the object:'))."<br/><br/><i>".htmlescape($name)."</i>";
}
if (count($name) == 1) {
- return _('You have no permission to move the object:').'<br/>'.msgPool::buildList($name);
+ return htmlescape(_('You have no permission to move the object:')).'<br/>'.msgPool::buildList($name);
}
- return _('You have no permission to move these objects:').'<br/>'.msgPool::buildList($name);
+ return htmlescape(_('You have no permission to move these objects:')).'<br/>'.msgPool::buildList($name);
}
/*!
@@ -158,7 +158,7 @@ class msgPool
*/
public static function reserved ($name)
{
- return sprintf(_('The field "%s" contains a reserved keyword!'), $name);
+ return htmlescape(sprintf(_('The field "%s" contains a reserved keyword!'), $name));
}
/*!
@@ -174,15 +174,15 @@ class msgPool
{
if ($command == '') {
if ($plugin == '') {
- return sprintf(_('Cannot execute "%s" command!'), $type);
+ return htmlescape(sprintf(_('Cannot execute "%s" command!'), $type));
} else {
- return sprintf(_('Cannot execute "%s" command for plugin %s!'), $type, $plugin);
+ return htmlescape(sprintf(_('Cannot execute "%s" command for plugin %s!'), $type, $plugin));
}
} else {
if ($plugin == '') {
- return sprintf(_('Cannot execute "%s" command (%s)!'), $type, $command);
+ return htmlescape(sprintf(_('Cannot execute "%s" command (%s)!'), $type, $command));
} else {
- return sprintf(_('Cannot execute "%s" command (%s) for plugin %s!'), $type, $command, $plugin);
+ return htmlescape(sprintf(_('Cannot execute "%s" command (%s) for plugin %s!'), $type, $command, $plugin));
}
}
}
@@ -197,9 +197,9 @@ class msgPool
public static function toobig ($name, $min = '')
{
if ($min == '') {
- return sprintf(_('Value for "%s" is too large!'), $name);
+ return htmlescape(sprintf(_('Value for "%s" is too large!'), $name));
} else {
- return sprintf(_('"%s" must be smaller than %s!'), $name, $min);
+ return htmlescape(sprintf(_('"%s" must be smaller than %s!'), $name, $min));
}
}
@@ -213,9 +213,9 @@ class msgPool
public static function toosmall ($name, $min = '')
{
if ($min == '') {
- return sprintf(_('Value for "%s" is too small!'), $name);
+ return htmlescape(sprintf(_('Value for "%s" is too small!'), $name));
} else {
- return sprintf(_('"%s" must be %d or above!'), $name, $min);
+ return htmlescape(sprintf(_('"%s" must be %d or above!'), $name, $min));
}
}
@@ -228,7 +228,7 @@ class msgPool
*/
public static function depends ($name1, $name2)
{
- return sprintf(_('"%s" depends on "%s" - please provide both values!'), $name1, $name2);
+ return htmlescape(sprintf(_('"%s" depends on "%s" - please provide both values!'), $name1, $name2));
}
/*!
@@ -240,9 +240,9 @@ class msgPool
public static function duplicated ($name, $dn = NULL)
{
if ($dn == NULL) {
- return sprintf(_('There is already an entry with this "%s" attribute in the system!'), $name);
+ return htmlescape(sprintf(_('There is already an entry with this "%s" attribute in the system!'), $name));
} else {
- return sprintf(_('The entry "%s" already use this "%s" attribute!'), $dn, $name);
+ return htmlescape(sprintf(_('The entry "%s" already use this "%s" attribute!'), $dn, $name));
}
}
@@ -253,7 +253,7 @@ class msgPool
*/
public static function required ($name)
{
- return sprintf(_('The required field "%s" is empty!'), $name);
+ return htmlescape(sprintf(_('The required field "%s" is empty!'), $name));
}
/*!
@@ -288,7 +288,7 @@ class msgPool
*/
public static function missingext ($name)
{
- return sprintf(_('Missing %s PHP extension!'), $name);
+ return htmlescape(sprintf(_('Missing %s PHP extension!'), $name));
}
/*!
@@ -296,7 +296,7 @@ class msgPool
*/
public static function cancelButton ()
{
- return _('Cancel');
+ return htmlescape(_('Cancel'));
}
/*!
@@ -304,7 +304,7 @@ class msgPool
*/
public static function okButton ()
{
- return _('Ok');
+ return htmlescape(_('Ok'));
}
/*!
@@ -312,7 +312,7 @@ class msgPool
*/
public static function applyButton ()
{
- return _('Apply');
+ return htmlescape(_('Apply'));
}
/*!
@@ -320,7 +320,7 @@ class msgPool
*/
public static function saveButton ()
{
- return _('Save');
+ return htmlescape(_('Save'));
}
/*!
@@ -330,7 +330,7 @@ class msgPool
*/
public static function addButton ($what = '')
{
- return (($what == '') ? sprintf(_('Add')) : sprintf(_('Add %s'), $what));
+ return htmlescape(($what == '') ? sprintf(_('Add')) : sprintf(_('Add %s'), $what));
}
/*!
@@ -340,7 +340,7 @@ class msgPool
*/
public static function delButton ($what = '')
{
- return (($what == '') ? sprintf(_('Delete')) : sprintf(_('Delete %s'), $what));
+ return htmlescape(($what == '') ? sprintf(_('Delete')) : sprintf(_('Delete %s'), $what));
}
/*!
@@ -350,7 +350,7 @@ class msgPool
*/
public static function editButton ($what = '')
{
- return (($what == '') ? sprintf(_('Edit...')) : sprintf(_('Edit %s...'), $what));
+ return htmlescape(($what == '') ? sprintf(_('Edit...')) : sprintf(_('Edit %s...'), $what));
}
/*!
@@ -358,7 +358,7 @@ class msgPool
*/
public static function backButton ()
{
- return _('Back');
+ return htmlescape(_('Back'));
}
/*!
@@ -371,9 +371,9 @@ class msgPool
$objects = '<ul>';
foreach ($data as $key => $value) {
if (is_numeric($key)) {
- $objects .= "<li>\n<i>$value</i></li>";
+ $objects .= "<li>\n<i>".htmlescape($value)."</i></li>";
} else {
- $objects .= "<li>\n$value (<i>$key</i>)</li>";
+ $objects .= "<li>\n".htmlescape($value)." (<i>".htmlescape($key)."</i>)</li>";
}
}
$objects .= '</ul>';
@@ -387,7 +387,7 @@ class msgPool
*/
public static function noValidExtension ($name)
{
- return sprintf(_('This account has no valid %s extensions!'), $name);
+ return htmlescape(sprintf(_('This account has no valid %s extensions!'), $name));
}
/*!
@@ -400,12 +400,12 @@ class msgPool
public static function featuresEnabled ($name, $depends = '')
{
if (($depends == '') || (is_array($depends) && (count($depends) == 0))) {
- return sprintf(_('This account has %s settings enabled. You can disable them by clicking below.'), $name);
+ return htmlescape(sprintf(_('This account has %s settings enabled. You can disable them by clicking below.'), $name));
} else {
if (is_array($depends)) {
$depends = implode(' / ', $depends);
}
- return sprintf(_('This account has %s settings enabled. To disable them, you\'ll need to remove the %s settings first!'), $name, $depends);
+ return htmlescape(sprintf(_('This account has %s settings enabled. To disable them, you\'ll need to remove the %s settings first!'), $name, $depends));
}
}
@@ -421,11 +421,11 @@ class msgPool
public static function featuresDisabled ($name, array $depends = [], array $conflicts = [])
{
if (empty($depends) && empty($conflicts)) {
- return sprintf(_('This account has %s settings disabled. You can enable them by clicking below.'), $name);
+ return htmlescape(sprintf(_('This account has %s settings disabled. You can enable them by clicking below.'), $name));
} elseif (!empty($depends)) {
- return sprintf(_('This account has %s settings disabled. To enable them, you\'ll need to add the %s settings first!'), $name, implode(' / ', $depends));
+ return htmlescape(sprintf(_('This account has %s settings disabled. To enable them, you\'ll need to add the %s settings first!'), $name, implode(' / ', $depends)));
} else {
- return sprintf(_('This account has %s settings disabled. To enable them, you\'ll need to disable the %s settings first!'), $name, implode(' / ', $conflicts));
+ return htmlescape(sprintf(_('This account has %s settings disabled. To enable them, you\'ll need to disable the %s settings first!'), $name, implode(' / ', $conflicts)));
}
}
@@ -436,7 +436,7 @@ class msgPool
*/
public static function addFeaturesButton ($name)
{
- return sprintf(_('Add %s settings'), $name);
+ return htmlescape(sprintf(_('Add %s settings'), $name));
}
/*!
@@ -447,7 +447,7 @@ class msgPool
public static function removeFeaturesButton ($name)
{
- return sprintf(_('Remove %s settings'), $name);
+ return htmlescape(sprintf(_('Remove %s settings'), $name));
}
/*!
@@ -455,7 +455,7 @@ class msgPool
*/
public static function clickEditToChange ()
{
- return _('Click the "Edit" button on the bottom right corner of the page to edit the fields');
+ return htmlescape(_('Click the "Edit" button on the bottom right corner of the page to edit the fields'));
}
/*!
@@ -495,17 +495,17 @@ class msgPool
_('delete operation'), _('search operation'), _('authentication')];
if (isset($typemap[$type])) {
- $msg = sprintf(_('LDAP %s failed!'), $typemap[$type]);
+ $msg = htmlescape(sprintf(_('LDAP %s failed!'), $typemap[$type]));
} else {
- $msg = _('LDAP operation failed!');
+ $msg = htmlescape(_('LDAP operation failed!'));
}
/* Fill DN information */
if ($dn != '') {
- $msg .= '<br/><br/><i>'._('Object').':</i> '.$dn;
+ $msg .= '<br/><br/><i>'.htmlescape(_('Object')).':</i> '.htmlescape($dn);
}
- $msg .= '<br/><br/><i>'._('Error').':</i> '.$error;
+ $msg .= '<br/><br/><i>'.htmlescape(_('Error')).':</i> '.htmlescape($error);
return $msg;
}
@@ -518,10 +518,10 @@ class msgPool
public static function incorrectUpload ($reason = '')
{
if ($reason == '') {
- return _('Upload failed!');
+ return htmlescape(_('Upload failed!'));
}
- return sprintf(_('Upload failed: %s'), "<br/><br/><i>$reason</i>");
+ return sprintf(htmlescape(_('Upload failed: %s')), '<br/><br/><i>'.htmlescape($reason).'</i>');
}
/*!
@@ -532,9 +532,9 @@ class msgPool
public static function siError ($error = '')
{
if ($error == '') {
- return _('Communication failure with the infrastructure service!');
+ return htmlescape(_('Communication failure with the infrastructure service!'));
}
- return sprintf(_('Communication failure with the infrastructure service: %s'), '<br/><br/>'.sprintf(_('Error: %s'), $error));
+ return sprintf(htmlescape(_('Communication failure with the infrastructure service: %s')), '<br/><br/>'.htmlescape(sprintf(_('Error: %s'), $error)));
}
/*!
@@ -544,7 +544,7 @@ class msgPool
*/
public static function checkingFor ($what)
{
- return sprintf(_('Checking for %s support'), $what);
+ return htmlescape(sprintf(_('Checking for %s support'), $what));
}
/*!
@@ -554,7 +554,7 @@ class msgPool
*/
public static function installPhpModule ($what)
{
- return sprintf(_('Install and activate the %s PHP module.'), $what);
+ return htmlescape(sprintf(_('Install and activate the %s PHP module.'), $what));
}
/*!
@@ -562,6 +562,6 @@ class msgPool
*/
public static function check_base ()
{
- return _('The supplied base is not valid and has been reset to the previous value!');
+ return htmlescape(_('The supplied base is not valid and has been reset to the previous value!'));
}
}
diff --git a/include/class_passwordRecovery.inc b/include/class_passwordRecovery.inc
index 3e457ddb3..fc1f73157 100644
--- a/include/class_passwordRecovery.inc
+++ b/include/class_passwordRecovery.inc
@@ -84,7 +84,7 @@ class passwordRecovery extends standAlonePage
$this->step4();
} elseif (isset($_POST['apply'])) {
if ($_POST['email_address'] == '') {
- $this->message[] = msgPool::required(_('Email address'));
+ $this->message[] = new FusionDirectoryError(msgPool::required(_('Email address')));
return;
}
$this->email_address = $_POST['email_address'];
diff --git a/include/class_pluglist.inc b/include/class_pluglist.inc
index d468eff04..ceb769027 100644
--- a/include/class_pluglist.inc
+++ b/include/class_pluglist.inc
@@ -586,7 +586,7 @@ class pluglist
$cleanup = $remove_lock = FALSE;
}
} catch (Exception $e) {
- $smarty->assign('headline', _('Fatal error!'));
+ $smarty->assign('headline', _('Fatal error!'));
$smarty->assign('headline_image', 'geticon.php?context=status&icon=dialog-error&size=32');
$display = '<h1>'.htmlescape(_('An unrecoverable error occurred. Please contact your administator.')).'</h1><p>';
if (ini_get('display_errors') == 1) {
diff --git a/include/class_standAlonePage.inc b/include/class_standAlonePage.inc
index 57e377149..b368b077e 100644
--- a/include/class_standAlonePage.inc
+++ b/include/class_standAlonePage.inc
@@ -153,12 +153,11 @@ class standAlonePage
/* Check for old files in compile directory */
clean_smarty_compile_dir($smarty->compile_dir);
- $smarty->assign('date', gmdate('D, d M Y H:i:s'));
- $smarty->assign('params', '');
- $smarty->assign('message', '');
- $smarty->assign('changed', FALSE);
- $smarty->assign('revision', FD_VERSION);
- $smarty->assign('year', date('Y'));
+ $smarty->assign('date', gmdate('D, d M Y H:i:s'));
+ $smarty->assign('params', '');
+ $smarty->assign('message', '');
+ $smarty->assign('changed', FALSE);
+ $smarty->assign('copynotice', copynotice());
$lang = session::get('lang');
$smarty->assign('lang', preg_replace('/_.*$/', '', $lang));
@@ -207,7 +206,7 @@ class standAlonePage
exit;
} elseif ($config->get_cfg_value('warnssl') == 'TRUE') {
/* Display SSL mode warning? */
- $smarty->assign('ssl', sprintf(_('Warning: <a href="%s">Session is not encrypted!</a>'), $ssl));
+ $smarty->assign('ssl', sprintf(htmlescape(_('Warning: %sSession is not encrypted!%s')), '<a href="'.$ssl.'">', '</a>'));
}
}
diff --git a/include/functions.inc b/include/functions.inc
index 79117b01d..5bb59e4f3 100644
--- a/include/functions.inc
+++ b/include/functions.inc
@@ -175,6 +175,14 @@ function DEBUG ($level, $line, $function, $file, $data, $info = '')
logging::debug($level, $line, $function, $file, $data, $info);
}
+/*!
+ * \brief Return HTML safe copyright notice
+ */
+function copynotice ()
+{
+ return sprintf(htmlescape(_('%s 2002-%d %sThe FusionDirectory team, %s%s')), '©', date('Y'), '<a href="http://www.fusiondirectory.org">', FD_VERSION,'</a>');
+}
+
/*!
* \brief Return themed path for specified base file
*
diff --git a/include/login/class_LoginMethod.inc b/include/login/class_LoginMethod.inc
index ae7eafa4b..31b969f21 100644
--- a/include/login/class_LoginMethod.inc
+++ b/include/login/class_LoginMethod.inc
@@ -202,19 +202,19 @@ class LoginMethod
try {
$method::loginProcess();
} catch (Exception $e) {
- $display = '<h1>'._('An unrecoverable error occurred. Please contact your administator.').'</h1><p>';
+ $display = '<h1>'.htmlescape(_('An unrecoverable error occurred. Please contact your administator.')).'</h1><p>';
if (ini_get('display_errors') == 1) {
$display .= nl2br(htmlescape((string)$e));
} else {
$display .= 'Error detail display is turned off.';
}
$display .= '</p>'."\n";
- $smarty->assign('headline', _('Fatal error!'));
+ $smarty->assign('headline', _('Fatal error!'));
$smarty->assign('headline_image', 'geticon.php?context=status&icon=dialog-error&size=32');
- $smarty->assign('usePrototype', 'false');
- $smarty->assign('date', date('l, dS F Y H:i:s O'));
- $smarty->assign('lang', preg_replace('/_.*$/', '', $lang));
- $smarty->assign('rtl', Language::isRTL($lang));
+ $smarty->assign('usePrototype', 'false');
+ $smarty->assign('date', date('l, dS F Y H:i:s O'));
+ $smarty->assign('lang', preg_replace('/_.*$/', '', $lang));
+ $smarty->assign('rtl', Language::isRTL($lang));
$smarty->display(get_template_path('headers.tpl'));
echo $display;
diff --git a/include/login/class_LoginPost.inc b/include/login/class_LoginPost.inc
index ab35b6a61..a90d33138 100644
--- a/include/login/class_LoginPost.inc
+++ b/include/login/class_LoginPost.inc
@@ -114,8 +114,7 @@ class LoginPost extends LoginMethod
}
$smarty->assign('date', gmdate('D, d M Y H:i:s'));
$smarty->assign('username', $username);
- $smarty->assign('revision', FD_VERSION);
- $smarty->assign('year', date('Y'));
+ $smarty->assign('copynotice', copynotice());
$smarty->append('css_files', get_template_path('login.css'));
$smarty->assign('title', _('Sign in'));
@@ -127,7 +126,7 @@ class LoginPost extends LoginMethod
/* Display SSL mode warning? */
if (($ssl != '') && ($config->get_cfg_value('warnSSL') == 'TRUE')) {
- $smarty->assign('ssl', sprintf(_('Warning: <a href="%s">Session is not encrypted!</a>'), $ssl));
+ $smarty->assign('ssl', sprintf(htmlescape(_('Warning: %sSession is not encrypted!%s')), '<a href="'.$ssl.'">', '</a>'));
} else {
$smarty->assign('ssl', '');
}
@@ -187,8 +186,7 @@ class LoginPost extends LoginMethod
}
$smarty->assign('date', gmdate('D, d M Y H:i:s'));
$smarty->assign('username', $username);
- $smarty->assign('revision', FD_VERSION);
- $smarty->assign('year', date('Y'));
+ $smarty->assign('copynotice', copynotice());
$smarty->append('css_files', get_template_path('login.css'));
$smarty->assign('title', _('Second factor'));
diff --git a/include/php_setup.inc b/include/php_setup.inc
index bb9193bdd..a86652a11 100644
--- a/include/php_setup.inc
+++ b/include/php_setup.inc
@@ -31,7 +31,7 @@ require_once('class_URL.inc');
*/
function htmlescape (string $str): string
{
- return htmlentities($str, ENT_COMPAT | ENT_HTML5, 'UTF-8');
+ return htmlspecialchars($str, ENT_QUOTES | ENT_HTML5, 'UTF-8');
}
/*!
@@ -39,7 +39,7 @@ function htmlescape (string $str): string
*/
function htmlunescape (string $html): string
{
- return html_entity_decode($html, ENT_COMPAT | ENT_HTML5, 'UTF-8');
+ return html_entity_decode($html, ENT_QUOTES | ENT_HTML5, 'UTF-8');
}
function html_trace ($errstr = "")
diff --git a/plugins/admin/departments/class_department.inc b/plugins/admin/departments/class_department.inc
index 25fed2e6d..777b69529 100644
--- a/plugins/admin/departments/class_department.inc
+++ b/plugins/admin/departments/class_department.inc
@@ -169,7 +169,7 @@ class department extends simplePlugin
if (($namingAttr == 'ou') && tests::is_department_name_reserved($this->$namingAttr)) {
$errors[] = new SimplePluginCheckError(
$this,
- htmlescape(msgPool::reserved(_('Name')))
+ msgPool::reserved(_('Name'))
);
}
diff --git a/plugins/generic/welcome/main.inc b/plugins/generic/welcome/main.inc
index b623df5a8..72ca1db7f 100644
--- a/plugins/generic/welcome/main.inc
+++ b/plugins/generic/welcome/main.inc
@@ -20,11 +20,10 @@
*/
if (!$cleanup) {
- $smarty->assign('iconmenu', $plist->show_iconmenu());
- $smarty->assign('headline', sprintf(_('Welcome %s!'), $ui->cn));
+ $smarty->assign('iconmenu', $plist->show_iconmenu());
+ $smarty->assign('headline', sprintf(_('Welcome %s!'), $ui->cn));
$smarty->assign('headline_image', 'geticon.php?context=applications&icon=config-welcome&size=48');
- $smarty->assign('year', date('Y'));
- $smarty->assign('revision', FD_VERSION);
+ $smarty->assign('copynotice', copynotice());
$display = $smarty->fetch(get_template_path('welcome.tpl', TRUE));
}
--
GitLab