From 5a80f36ef107dd0ce289898c2322620800a33768 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bernhard=20Fr=F6hlich?= Date: Mon, 10 Feb 2014 21:22:02 +0100 Subject: [PATCH] Added missing parameters to htmlspecialchars --- collect_question.php | 18 ++++++++++++------ functions/UploadResults.pl | 4 ++-- topic.php | 16 +++++++++++----- 3 files changed, 25 insertions(+), 13 deletions(-) diff --git a/collect_question.php b/collect_question.php index 348d4a1..8c7698e 100755 --- a/collect_question.php +++ b/collect_question.php @@ -14,6 +14,12 @@ if(($_SESSION['profile']['loggedin']==1) &&($_SESSION['profile']['admin']==1)){ // Überprüfung auf String / Wertzuweisung $action=''; if(isset($_GET['action'])) $action=strval($_GET['action']); + // Fetch encoding from session, simplifies future switch to utf-8 encoding. + $encoding = $_SESSION['_config']['encoding']; + if (!$encoding) { + $encoding = "iso-8859-1"; // Backwards compatibility + } + // Auswahl der gewählten Aktionen switch ($action){ @@ -23,10 +29,10 @@ if(($_SESSION['profile']['loggedin']==1) &&($_SESSION['profile']['admin']==1)){ // Wertzuweisung $_SESSION ['values']['question']['t_id']=0; if($_POST["t_id"])$_SESSION ['values']['question']['t_id'] =abs(intval($_REQUEST["t_id"])); $_SESSION ['values']['question']['qt']=0;if($_POST["qt"])$_SESSION ['values']['question']['qt'] =abs(intval($_REQUEST["qt"])); - $_SESSION ['values']['question']['questionText']=''; if($_POST["questionText"])$_SESSION ['values']['question']['questionText']= htmlspecialchars($_REQUEST["questionText"]); // Umwandlung von Sonderzeichen in HTML-Code - $new=""; if($_REQUEST["new"])$new= htmlspecialchars($_POST["new"]); // Umwandlung von Sonderzeichen in HTML-Code + $_SESSION ['values']['question']['questionText']=''; if($_POST["questionText"])$_SESSION ['values']['question']['questionText']= htmlspecialchars($_REQUEST["questionText"], ENT_COMPAT | ENT_HTML401, $encoding); // Umwandlung von Sonderzeichen in HTML-Code + $new=""; if($_REQUEST["new"])$new= htmlspecialchars($_POST["new"], ENT_COMPAT | ENT_HTML401, $encoding); // Umwandlung von Sonderzeichen in HTML-Code $_SESSION ['values']['question']['description']=0; if($_POST["description"])$_SESSION ['values']['question']['description']=abs(intval($_POST["description"])); - $_SESSION ['values']['question']['descriptionText']="";if($_POST["descriptionText"])$_SESSION ['values']['question']['descriptionText']=htmlspecialchars($_POST["descriptionText"]); + $_SESSION ['values']['question']['descriptionText']="";if($_POST["descriptionText"])$_SESSION ['values']['question']['descriptionText']=htmlspecialchars($_POST["descriptionText"], ENT_COMPAT | ENT_HTML401, $encoding); // Session Variable setzen $_SESSION ['values']['question']['new']=1; @@ -124,9 +130,9 @@ if(($_SESSION['profile']['loggedin']==1) &&($_SESSION['profile']['admin']==1)){ // Wertzuweisung $qt_id=0; if(isset($_GET['qt_id'])) $qt_id=abs(intval($_GET['qt_id'])); - $error=""; if(isset($_GET["error"])) $error= htmlspecialchars($_GET["error"]); // Umwandlung von Sonderzeichen in HTML-Code - $new=""; if(isset($_GET['new'])) $new=htmlspecialchars($_GET['new']); - $questionText=""; if(isset($_REQUEST["questionText"])) $questionText= htmlspecialchars($_REQUEST["questionText"]); + $error=""; if(isset($_GET["error"])) $error= htmlspecialchars($_GET["error"], ENT_COMPAT | ENT_HTML401, $encoding); // Umwandlung von Sonderzeichen in HTML-Code + $new=""; if(isset($_GET['new'])) $new=htmlspecialchars($_GET['new'], ENT_COMPAT | ENT_HTML401, $encoding); + $questionText=""; if(isset($_REQUEST["questionText"])) $questionText= htmlspecialchars($_REQUEST["questionText"], ENT_COMPAT | ENT_HTML401, $encoding); // Sessionvariable setzen $_SESSION['values']['error']=$error; diff --git a/functions/UploadResults.pl b/functions/UploadResults.pl index d24c0db..d760f8e 100755 --- a/functions/UploadResults.pl +++ b/functions/UploadResults.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/perl use Socket; use Net::SSLeay qw(die_now die_if_ssl_error) ; use DBI; @@ -8,7 +8,7 @@ my $KeyFile = "key_200808.pem"; my $CAfile = "CAcert_roots.pem"; my $TargetHost="secure.cacert.org"; my $TargetScript="cats/cats_import.php"; -my $ConnectInc="/home/cats/public_html/includes/db_connect.inc"; +my $ConnectInc="/var/www/cats1.it-sls.de/training/public/includes/db_connect.inc"; sub url_encode($) { diff --git a/topic.php b/topic.php index a7e9416..b4839ab 100755 --- a/topic.php +++ b/topic.php @@ -33,7 +33,13 @@ if(($_SESSION['profile']['loggedin']==1) &&($_SESSION['profile']['admin']==1)){ } else { $site="site=topic&action=getQuestions&t_id=$t_id"; } - + + // Fetch encoding from session, simplifies future switch to utf-8 encoding. + $encoding = $_SESSION['_config']['encoding']; + if (!$encoding) { + $encoding = "iso-8859-1"; // Backwards compatibility + } + // Löschen der Session Variable if (isset($_SESSION['values']['question']['new'])) unset($_SESSION['values']['question']['new']); @@ -45,7 +51,7 @@ if(($_SESSION['profile']['loggedin']==1) &&($_SESSION['profile']['admin']==1)){ // Wertzuweisung $questPerQuiz=0; if(isset($_REQUEST["questPerQuiz"]))$questPerQuiz =abs(intval($_REQUEST["questPerQuiz"])); $rawToPass=0; if(isset($_REQUEST["rawToPass"]))$rawToPass =abs(intval($_REQUEST["rawToPass"])); - $name=""; if(isset($_REQUEST["new_topic"]))$name= htmlspecialchars($_REQUEST["new_topic"]); // Umwandlung von Sonderzeichen in HTML-Code + $name=""; if(isset($_REQUEST["new_topic"]))$name= htmlspecialchars($_REQUEST["new_topic"], ENT_COMPAT | ENT_HTML401, $encoding); // Umwandlung von Sonderzeichen in HTML-Code $topics->setTopicName($name); $checkNum=$topics->setNumOfQu($questPerQuiz); @@ -157,8 +163,8 @@ if(($_SESSION['profile']['loggedin']==1) &&($_SESSION['profile']['admin']==1)){ case 'updateQuestion': { // Question updaten // Wertzuweisung - $questionText=""; if(isset($_REQUEST["question"]))$questionText= htmlspecialchars($_REQUEST["question"]); - $descriptionText=""; if(isset($_REQUEST["descriptionText"]))$descriptionText= htmlspecialchars($_REQUEST["descriptionText"]); + $questionText=""; if(isset($_REQUEST["question"]))$questionText= htmlspecialchars($_REQUEST["question"], ENT_COMPAT | ENT_HTML401, $encoding); + $descriptionText=""; if(isset($_REQUEST["descriptionText"]))$descriptionText= htmlspecialchars($_REQUEST["descriptionText"], ENT_COMPAT | ENT_HTML401, $encoding); $description=0; if(isset($_REQUEST["description"]))$description=$_REQUEST["description"]; $question->setID($q_id); @@ -234,7 +240,7 @@ if(($_SESSION['profile']['loggedin']==1) &&($_SESSION['profile']['admin']==1)){ case 'updateTopic':{ // Topic updaten //Wertzuweisung - $name=""; if(isset($_REQUEST["new_topic"]))$name= htmlspecialchars($_REQUEST["new_topic"]); + $name=""; if(isset($_REQUEST["new_topic"]))$name= htmlspecialchars($_REQUEST["new_topic"], ENT_COMPAT | ENT_HTML401, $encoding); $numofQuiz=0; if(isset($_REQUEST["questPerQuiz"]))$numOfQuiz =abs(intval($_REQUEST["questPerQuiz"])); $rawToPass=0; if(isset($_REQUEST["rawToPass"])) $rawToPass =abs(intval($_REQUEST["rawToPass"]));