Ticket #57: ticket-57 v1.diff

File ticket-57 v1.diff, 3.0 kB (added by ChristianB, 1 year ago)

This patch will encode all umlauts and other strange characters within teamname, team description and username into proper html entities. User and teams with such strange characters in their names should edit their names after this patch was applied at there project.

  • html/inc/db.inc

    old new  
    172172    return $str; 
    173173} 
    174174 
    175 ?> 
     175// Convert to entities, while preserving already-encoded entities. 
     176// Do NOT use if $str contains valid HTML tags. 
     177function boinc_htmlentities($str) { 
     178    $str = html_entity_decode($str, ENT_COMPAT, "UTF-8"); 
     179    $str = htmlentities($str, ENT_COMPAT, "UTF-8"); 
     180    return $str; 
     181
     182 
     183?> 

  • html/user/edit_user_info_action.php

    old new  
    88db_init(); 
    99$user = get_logged_in_user(); 
    1010 
    11 $name = process_user_text(post_str("user_name")); 
     11$name =  boinc_htmlentities(process_user_text(post_str("user_name"))); 
    1212if ($name != strip_tags($name)) { 
    1313    error_page("HTML tags not allowed in name"); 
    1414} 

  • html/user/team_create_action.php

    old new  
    88 
    99$user = get_logged_in_user(); 
    1010 
    11 $name = process_user_text(strip_tags(post_str("name")));  
     11$name = boinc_htmlentities(process_user_text(strip_tags(post_str("name")))); 
    1212if (strlen($name) == 0) { 
    1313    error_page("Must set team name"); 
    1414} 
     
    1717if (strstr($url, "http://")) { 
    1818    $url = substr($url, 7); 
    1919} 
    20 $type = process_user_text(strip_tags(post_str("type", true)));  
     20$type = process_user_text(strip_tags(post_str("type", true))); 
    2121if (!is_valid_team_type($type)) { 
    2222    $type = 'None'; 
    2323} 
    2424 
    2525$name_html = process_user_text(post_str("name_html", true)); 
    26 $description = process_user_text(post_str("description", true)); 
     26$description = boinc_htmlentities(process_user_text(post_str("description", true))); 
    2727$country = process_user_text(post_str("country", true)); 
    2828 
    2929if (!is_valid_country($country)) { 

  • html/user/team_edit_action.php

    old new  
    1818    if ($x) { 
    1919        $team_url = substr($team_url, 7); 
    2020    } 
    21     $team_name = process_user_text(strip_tags(post_str("name"))); 
     21    $team_name = boinc_htmlentities(process_user_text(strip_tags(post_str("name")))); 
    2222    $team_name_lc = strtolower($team_name); 
    2323    $team_name_html = process_user_text(post_str("name_html", true)); //Do we really not want to 
    24     $team_description = process_user_text(post_str("description", true)); //scrub out bad HTML tags? 
     24    $team_description = boinc_htmlentities(process_user_text(post_str("description", true))); //scrub out bad HTML tags? 
    2525        $type = process_user_text(post_str("type", true)); 
    2626        $country = process_user_text(post_str("country", true)); 
    2727 
If this page is incomplete or incorrect, please edit it or add it to the wiki to-do list. To do this, you must be logged in; click Login or Register above.