Mibew/i18n
1
0
Fork 0
mirror of https://github.com/Mibew/i18n.git synced 2025-02-02 09:34:41 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Enable default conversion of single quotes during HTML entities conversion

Browse Source
This commit is contained in:
Fedor A. Fetisov 2013-09-06 17:08:27 +04:00
parent 441e88dfa9
commit 2532f3bc01
47 changed files with 218 additions and 209 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
src/messenger/webim/libs/chat.php
View File

@ -82,7 +82,7 @@ function post_message($threadid, $kind, $message, $from = null, $agentid = null)
function prepare_html_message($text) function prepare_html_message($text)
{ {
$escaped_text = htmlspecialchars($text); $escaped_text = safe_htmlspecialchars($text);
$text_w_links = preg_replace('/(http|ftp):\/\/\S*/', '<a href="$0" target="_blank">$0</a>', $escaped_text); $text_w_links = preg_replace('/(http|ftp):\/\/\S*/', '<a href="$0" target="_blank">$0</a>', $escaped_text);
$multiline = str_replace("\n", "<br/>", $text_w_links); $multiline = str_replace("\n", "<br/>", $text_w_links);
return $multiline; return $multiline;
@ -95,7 +95,7 @@ function message_to_html($msg)
$message = "<span>" . date("H:i:s", $msg['created']) . "</span> "; $message = "<span>" . date("H:i:s", $msg['created']) . "</span> ";
$kind = $kind_to_string{$msg['ikind']}; $kind = $kind_to_string{$msg['ikind']};
if ($msg['tname']) if ($msg['tname'])
$message .= "<span class=\"n$kind\">" . htmlspecialchars($msg['tname']) . "</span>: "; $message .= "<span class=\"n$kind\">" . safe_htmlspecialchars($msg['tname']) . "</span>: ";
$message .= "<span class=\"m$kind\">" . prepare_html_message($msg['tmessage']) . "</span><br/>"; $message .= "<span class=\"m$kind\">" . prepare_html_message($msg['tmessage']) . "</span><br/>";
return $message; return $message;
} }
@ -166,7 +166,7 @@ function print_thread_messages($thread, $token, $lastid, $isuser, $format, $agen
$output = get_messages($threadid, "xml", $isuser, $lastid); $output = get_messages($threadid, "xml", $isuser, $lastid);
start_xml_output(); start_xml_output();
print("<thread lastid=\"$lastid\" typing=\"" . htmlspecialchars($istyping) . "\" canpost=\"" . (($isuser || $agentid != null && $agentid == $thread['agentId']) ? 1 : 0) . "\">"); print("<thread lastid=\"$lastid\" typing=\"" . safe_htmlspecialchars($istyping) . "\" canpost=\"" . (($isuser || $agentid != null && $agentid == $thread['agentId']) ? 1 : 0) . "\">");
foreach ($output as $msg) { foreach ($output as $msg) {
print $msg; print $msg;
} }
@ -176,13 +176,13 @@ function print_thread_messages($thread, $token, $lastid, $isuser, $format, $agen
$output = get_messages($threadid, "html", $isuser, $lastid); $output = get_messages($threadid, "html", $isuser, $lastid);
start_html_output(); start_html_output();
$url = "$webimroot/thread.php?act=refresh&amp;thread=" . htmlspecialchars($threadid) . "&amp;token=" . htmlspecialchars($token) . "&amp;html=on&amp;user=" . ($isuser ? "true" : "false"); $url = "$webimroot/thread.php?act=refresh&amp;thread=" . safe_htmlspecialchars($threadid) . "&amp;token=" . safe_htmlspecialchars($token) . "&amp;html=on&amp;user=" . ($isuser ? "true" : "false");
print( print(
"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">" . "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">" .
"<html>\n<head>\n" . "<html>\n<head>\n" .
"<link href=\"$webimroot/styles/default/chat.css\" rel=\"stylesheet\" type=\"text/css\">\n" . "<link href=\"$webimroot/styles/default/chat.css\" rel=\"stylesheet\" type=\"text/css\">\n" .
"<meta http-equiv=\"Refresh\" content=\"" . htmlspecialchars($settings['updatefrequency_oldchat']) . "; URL=$url&amp;sn=11\">\n" . "<meta http-equiv=\"Refresh\" content=\"" . safe_htmlspecialchars($settings['updatefrequency_oldchat']) . "; URL=$url&amp;sn=11\">\n" .
"<meta http-equiv=\"Pragma\" content=\"no-cache\">\n" . "<meta http-equiv=\"Pragma\" content=\"no-cache\">\n" .
"<title>chat</title>\n" . "<title>chat</title>\n" .
"</head>\n" . "</head>\n" .
@ -290,9 +290,9 @@ function setup_logo()
{ {
global $page, $settings; global $page, $settings;
loadsettings(); loadsettings();
$page['ct.company.name'] = htmlspecialchars(topage($settings['title'])); $page['ct.company.name'] = safe_htmlspecialchars(topage($settings['title']));
$page['ct.company.chatLogoURL'] = htmlspecialchars(topage($settings['logo'])); $page['ct.company.chatLogoURL'] = safe_htmlspecialchars(topage($settings['logo']));
$page['webimHost'] = htmlspecialchars(topage($settings['hosturl'])); $page['webimHost'] = safe_htmlspecialchars(topage($settings['hosturl']));
} }
function setup_leavemessage($name, $email, $message, $groupid, $groupname, $info, $referrer, $canshowcaptcha) function setup_leavemessage($name, $email, $message, $groupid, $groupname, $info, $referrer, $canshowcaptcha)
@ -337,7 +337,7 @@ function setup_survey($name, $email, $groupid, $info, $referrer, $canshowcaptcha
$groupname .= " (offline)"; $groupname .= " (offline)";
} }
$isselected = $k['groupid'] == $groupid; $isselected = $k['groupid'] == $groupid;
$val .= "<option value=\"" . htmlspecialchars($k['groupid']) . "\"" . ($isselected ? " selected=\"selected\"" : "") . ">" . htmlspecialchars($groupname) . "</option>"; $val .= "<option value=\"" . safe_htmlspecialchars($k['groupid']) . "\"" . ($isselected ? " selected=\"selected\"" : "") . ">" . safe_htmlspecialchars($groupname) . "</option>";
} }
$page['groups'] = $val; $page['groups'] = $val;
} }
@ -359,11 +359,11 @@ function setup_chatview_for_user($thread, $level)
$page['displ1'] = $nameisset ? "none" : "inline"; $page['displ1'] = $nameisset ? "none" : "inline";
$page['displ2'] = $nameisset ? "inline" : "none"; $page['displ2'] = $nameisset ? "inline" : "none";
$page['level'] = $level; $page['level'] = $level;
$page['ct.chatThreadId'] = htmlspecialchars($thread['threadid']); $page['ct.chatThreadId'] = safe_htmlspecialchars($thread['threadid']);
$page['ct.token'] = htmlspecialchars($thread['ltoken']); $page['ct.token'] = safe_htmlspecialchars($thread['ltoken']);
$page['ct.user.name'] = htmlspecialchars(topage($thread['userName'])); $page['ct.user.name'] = safe_htmlspecialchars(topage($thread['userName']));
$page['canChangeName'] = $settings['usercanchangename'] == "1"; $page['canChangeName'] = $settings['usercanchangename'] == "1";
$page['chat.title'] = htmlspecialchars(topage($settings['chattitle'])); $page['chat.title'] = safe_htmlspecialchars(topage($settings['chattitle']));
setup_logo(); setup_logo();
if ($settings['sendmessagekey'] == 'enter') { if ($settings['sendmessagekey'] == 'enter') {
@ -375,10 +375,10 @@ function setup_chatview_for_user($thread, $level)
} }
$params = "thread=" . $thread['threadid'] . "&token=" . $thread['ltoken']; $params = "thread=" . $thread['threadid'] . "&token=" . $thread['ltoken'];
$page['mailLink'] = htmlspecialchars("$webimroot/client.php?" . $params . "&level=$level&act=mailthread"); $page['mailLink'] = safe_htmlspecialchars("$webimroot/client.php?" . $params . "&level=$level&act=mailthread");
if ($settings['enablessl'] == "1" && !is_secure_request()) { if ($settings['enablessl'] == "1" && !is_secure_request()) {
$page['sslLink'] = htmlspecialchars(get_app_location(true, true) . "/client.php?" . $params . "&level=$level"); $page['sslLink'] = safe_htmlspecialchars(get_app_location(true, true) . "/client.php?" . $params . "&level=$level");
} }
$page['isOpera95'] = is_agent_opera95(); $page['isOpera95'] = is_agent_opera95();
@ -420,10 +420,10 @@ function setup_chatview_for_operator($thread, $operator)
$page['agent'] = true; $page['agent'] = true;
$page['user'] = false; $page['user'] = false;
$page['canpost'] = $thread['agentId'] == $operator['operatorid']; $page['canpost'] = $thread['agentId'] == $operator['operatorid'];
$page['ct.chatThreadId'] = htmlspecialchars($thread['threadid']); $page['ct.chatThreadId'] = safe_htmlspecialchars($thread['threadid']);
$page['ct.token'] = htmlspecialchars($thread['ltoken']); $page['ct.token'] = safe_htmlspecialchars($thread['ltoken']);
$page['ct.user.name'] = htmlspecialchars(topage(get_user_name($thread['userName'], $thread['remote'], $thread['userid']))); $page['ct.user.name'] = safe_htmlspecialchars(topage(get_user_name($thread['userName'], $thread['remote'], $thread['userid'])));
$page['chat.title'] = htmlspecialchars(topage($settings['chattitle'])); $page['chat.title'] = safe_htmlspecialchars(topage($settings['chattitle']));
setup_logo(); setup_logo();
if ($settings['sendmessagekey'] == 'enter') { if ($settings['sendmessagekey'] == 'enter') {
@ -435,20 +435,20 @@ function setup_chatview_for_operator($thread, $operator)
} }
if ($settings['enablessl'] == "1" && !is_secure_request()) { if ($settings['enablessl'] == "1" && !is_secure_request()) {
$page['sslLink'] = htmlspecialchars(get_app_location(true, true) . "/operator/agent.php?thread=" . $thread['threadid'] . "&token=" . $thread['ltoken']); $page['sslLink'] = safe_htmlspecialchars(get_app_location(true, true) . "/operator/agent.php?thread=" . $thread['threadid'] . "&token=" . $thread['ltoken']);
} }
$page['isOpera95'] = is_agent_opera95(); $page['isOpera95'] = is_agent_opera95();
$page['neediframesrc'] = needsFramesrc(); $page['neediframesrc'] = needsFramesrc();
$page['historyParams'] = array("userid" => "" . $thread['userid']); $page['historyParams'] = array("userid" => "" . $thread['userid']);
$page['historyParamsLink'] = htmlspecialchars(add_params($webimroot . "/operator/userhistory.php", $page['historyParams'])); $page['historyParamsLink'] = safe_htmlspecialchars(add_params($webimroot . "/operator/userhistory.php", $page['historyParams']));
$predefinedres = ""; $predefinedres = "";
$canned_messages = load_canned_messages($thread['locale'], $thread['groupid']); $canned_messages = load_canned_messages($thread['locale'], $thread['groupid']);
foreach ($canned_messages as $answer) { foreach ($canned_messages as $answer) {
$predefinedres .= "<option>" . htmlspecialchars(topage($answer['vcvalue'])) . "</option>"; $predefinedres .= "<option>" . safe_htmlspecialchars(topage($answer['vcvalue'])) . "</option>";
} }
$page['predefinedAnswers'] = $predefinedres; $page['predefinedAnswers'] = $predefinedres;
$params = "thread=" . $thread['threadid'] . "&token=" . $thread['ltoken']; $params = "thread=" . $thread['threadid'] . "&token=" . $thread['ltoken'];
$page['redirectLink'] = htmlspecialchars("$webimroot/operator/agent.php?" . $params . "&act=redirect"); $page['redirectLink'] = safe_htmlspecialchars("$webimroot/operator/agent.php?" . $params . "&act=redirect");
$page['namePostfix'] = ""; $page['namePostfix'] = "";
$page['frequency'] = $settings['updatefrequency_chat']; $page['frequency'] = $settings['updatefrequency_chat'];

23
src/messenger/webim/libs/common.php
View File

@ -59,7 +59,7 @@ function verifyparam($name, $regexp, $default = null)
if (isset($default)) if (isset($default))
return $default; return $default;
} }
echo "<html><head></head><body>Wrong parameter used or absent: " . htmlspecialchars($name) . "</body></html>"; echo "<html><head></head><body>Wrong parameter used or absent: " . safe_htmlspecialchars($name) . "</body></html>";
exit; exit;
} }
@ -425,7 +425,7 @@ function form_value($key)
{ {
global $page; global $page;
if (isset($page) && isset($page["form$key"])) if (isset($page) && isset($page["form$key"]))
return htmlspecialchars($page["form$key"]); return safe_htmlspecialchars($page["form$key"]);
return ""; return "";
} }
@ -454,7 +454,7 @@ function no_field($key)
function failed_uploading_file($filename, $key) function failed_uploading_file($filename, $key)
{ {
return getlocal2("errors.failed.uploading.file", return getlocal2("errors.failed.uploading.file",
array(htmlspecialchars($filename), getlocal($key))); array(safe_htmlspecialchars($filename), getlocal($key)));
} }
function wrong_field($key) function wrong_field($key)
@ -473,8 +473,8 @@ function get_popup($href, $jshref, $message, $title, $wndName, $options)
function get_image($href, $width, $height) function get_image($href, $width, $height)
{ {
if ($width != 0 && $height != 0) if ($width != 0 && $height != 0)
return "<img src=\"" . htmlspecialchars($href) . "\" border=\"0\" width=\"" . htmlspecialchars($width) . "\" height=\"" . htmlspecialchars($height) . "\" alt=\"\"/>"; return "<img src=\"" . safe_htmlspecialchars($href) . "\" border=\"0\" width=\"" . safe_htmlspecialchars($width) . "\" height=\"" . safe_htmlspecialchars($height) . "\" alt=\"\"/>";
return "<img src=\"" . htmlspecialchars($href) . "\" border=\"0\" alt=\"\"/>"; return "<img src=\"" . safe_htmlspecialchars($href) . "\" border=\"0\" alt=\"\"/>";
} }
function get_gifimage_size($filename) function get_gifimage_size($filename)
@ -780,7 +780,7 @@ function sanitize_string($string, $tags_level = 'high', $attr_level = 'high')
} }
$replacement = '<' . $elements[1][$key] . $new_attributes . '>'; $replacement = '<' . $elements[1][$key] . $new_attributes . '>';
$string = preg_replace( '/' . reg_escape($elements[0][$key]) . '/', $replacement, $string ); $string = preg_replace( '/' . sanitize_reg_escape($elements[0][$key]) . '/', $replacement, $string );
} }
} }
@ -790,7 +790,8 @@ function sanitize_string($string, $tags_level = 'high', $attr_level = 'high')
return $string; return $string;
} }
function reg_escape ($string) { function sanitize_reg_escape($string)
{
$conversions = array( "^" => "\^", $conversions = array( "^" => "\^",
"[" => "\[", "[" => "\[",
@ -812,4 +813,12 @@ function reg_escape ($string) {
return strtr($string, $conversions); return strtr($string, $conversions);
} }
/* wrapper for htmlspecialchars with single quotes conversion enabled
by default */
function safe_htmlspecialchars($string)
{
return htmlspecialchars($string, ENT_QUOTES);
}
?> ?>

6
src/messenger/webim/libs/getcode.php
View File

@ -36,9 +36,9 @@ function generate_button($title, $locale, $style, $group, $inner, $showhost, $fo
$link = append_query($link, "group=$group"); $link = append_query($link, "group=$group");
$modsecfix = $modsecurity ? ".replace('http://','').replace('https://','')" : ""; $modsecfix = $modsecurity ? ".replace('http://','').replace('https://','')" : "";
$jslink = htmlspecialchars(append_query("'" . $link, "url='+escape(document.location.href$modsecfix)+'&referrer='+escape(document.referrer$modsecfix)")); $jslink = safe_htmlspecialchars(append_query("'" . $link, "url='+escape(document.location.href$modsecfix)+'&referrer='+escape(document.referrer$modsecfix)"));
$temp = get_popup(htmlspecialchars($link), "$jslink", $temp = get_popup(safe_htmlspecialchars($link), "$jslink",
$inner, htmlspecialchars($title), "webim", "toolbar=0,scrollbars=0,location=0,status=1,menubar=0,width=640,height=480,resizable=1"); $inner, safe_htmlspecialchars($title), "webim", "toolbar=0,scrollbars=0,location=0,status=1,menubar=0,width=640,height=480,resizable=1");
return "<!-- mibew button -->" . $temp . "<!-- / mibew button -->"; return "<!-- mibew button -->" . $temp . "<!-- / mibew button -->";
} }

8
src/messenger/webim/libs/operator.php
View File

@ -305,8 +305,8 @@ function setup_redirect_links($threadid, $token)
) )
: ""; : "";
$agent_list .= "<li><a href=\"" . add_params($webimroot . "/operator/redirect.php", $params) . $agent_list .= "<li><a href=\"" . add_params($webimroot . "/operator/redirect.php", $params) .
"\" title=\"" . htmlspecialchars(topage(get_operator_name($agent))) . "\">" . "\" title=\"" . safe_htmlspecialchars(topage(get_operator_name($agent))) . "\">" .
htmlspecialchars(topage(get_operator_name($agent))) . safe_htmlspecialchars(topage(get_operator_name($agent))) .
"</a> $status</li>"; "</a> $status</li>";
} }
$page['redirectToAgent'] = $agent_list; $page['redirectToAgent'] = $agent_list;
@ -322,8 +322,8 @@ function setup_redirect_links($threadid, $token)
? getlocal("char.redirect.operator.away_suff") ? getlocal("char.redirect.operator.away_suff")
: ""); : "");
$group_list .= "<li><a href=\"" . add_params($webimroot . "/operator/redirect.php", $params) . $group_list .= "<li><a href=\"" . add_params($webimroot . "/operator/redirect.php", $params) .
"\" title=\"" . htmlspecialchars(topage(get_group_name($group))) . "\">" . "\" title=\"" . safe_htmlspecialchars(topage(get_group_name($group))) . "\">" .
htmlspecialchars(topage(get_group_name($group))) . safe_htmlspecialchars(topage(get_group_name($group))) .
"</a> $status</li>"; "</a> $status</li>";
} }
} }

4
src/messenger/webim/libs/pagination.php
View File

@ -23,13 +23,13 @@ function generate_pagination_link($page, $title, $raw = false)
$lnk = $_SERVER['REQUEST_URI']; $lnk = $_SERVER['REQUEST_URI'];
$href = preg_replace("/\?page=\d+\&/", "?", preg_replace("/\&page=\d+/", "", $lnk)); $href = preg_replace("/\?page=\d+\&/", "?", preg_replace("/\&page=\d+/", "", $lnk));
$href .= strstr($href, "?") ? "&page=$page" : "?page=$page"; $href .= strstr($href, "?") ? "&page=$page" : "?page=$page";
return "<a href=\"" . htmlspecialchars($href) . "\" class=\"pagelink\">" . ($raw ? $title : htmlspecialchars($title)) . "</a>"; return "<a href=\"" . safe_htmlspecialchars($href) . "\" class=\"pagelink\">" . ($raw ? $title : safe_htmlspecialchars($title)) . "</a>";
} }
function generate_pagination_image($id, $alt) function generate_pagination_image($id, $alt)
{ {
global $webimroot; global $webimroot;
return "<img src=\"$webimroot/images/$id.gif\" border=\"0\" alt=\"" . htmlspecialchars($alt) . "\"/>"; return "<img src=\"$webimroot/images/$id.gif\" border=\"0\" alt=\"" . safe_htmlspecialchars($alt) . "\"/>";
} }
function prepare_pagination($items_count, $default_items_per_page = 15) function prepare_pagination($items_count, $default_items_per_page = 15)

4
src/messenger/webim/libs/userinfo.php
View File

@ -50,9 +50,9 @@ function get_user_addr($addr)
global $settings; global $settings;
if ($settings['geolink'] && preg_match("/(\\d+\\.\\d+\\.\\d+\\.\\d+)/", $addr, $matches)) { if ($settings['geolink'] && preg_match("/(\\d+\\.\\d+\\.\\d+\\.\\d+)/", $addr, $matches)) {
$userip = $matches[1]; $userip = $matches[1];
return get_popup(htmlspecialchars(str_replace("{ip}", $userip, $settings['geolink'])), '', htmlspecialchars($addr), "GeoLocation", htmlspecialchars("ip$userip"), htmlspecialchars($settings['geolinkparams'])); return get_popup(safe_htmlspecialchars(str_replace("{ip}", $userip, $settings['geolink'])), '', safe_htmlspecialchars($addr), "GeoLocation", safe_htmlspecialchars("ip$userip"), safe_htmlspecialchars($settings['geolinkparams']));
} }
return htmlspecialchars($addr); return safe_htmlspecialchars($addr);
} }
?> ?>

2
src/messenger/webim/operator/ban.php
View File

@ -54,7 +54,7 @@ if (isset($_POST['address'])) {
if ((!$banId && $existing_ban) || if ((!$banId && $existing_ban) ||
($banId && $existing_ban && $banId != $existing_ban['banid'])) { ($banId && $existing_ban && $banId != $existing_ban['banid'])) {
$errors[] = getlocal2("ban.error.duplicate", array(htmlspecialchars($address), htmlspecialchars($existing_ban['banid']))); $errors[] = getlocal2("ban.error.duplicate", array(safe_htmlspecialchars($address), safe_htmlspecialchars($existing_ban['banid'])));
} }
if (count($errors) == 0) { if (count($errors) == 0) {

2
src/messenger/webim/operator/index.php
View File

@ -30,7 +30,7 @@ $page = array(
'localeLinks' => get_locale_links("$webimroot/operator/index.php"), 'localeLinks' => get_locale_links("$webimroot/operator/index.php"),
'needUpdate' => $settings['dbversion'] != $dbversion, 'needUpdate' => $settings['dbversion'] != $dbversion,
'needChangePassword' => $operator['vcpassword'] == md5(''), 'needChangePassword' => $operator['vcpassword'] == md5(''),
'profilePage' => "$webimroot/operator/operator.php?op=".htmlspecialchars($operator['operatorid']), 'profilePage' => "$webimroot/operator/operator.php?op=".safe_htmlspecialchars($operator['operatorid']),
'updateWizard' => "$webimroot/install/", 'updateWizard' => "$webimroot/install/",
'newFeatures' => $settings['featuresversion'] != $featuresversion, 'newFeatures' => $settings['featuresversion'] != $featuresversion,
'featuresPage' => "$webimroot/operator/features.php", 'featuresPage' => "$webimroot/operator/features.php",

4
src/messenger/webim/operator/redirect.php
View File

@ -39,7 +39,7 @@ if (isset($_GET['nextGroup'])) {
$nextGroup = group_by_id($nextid); $nextGroup = group_by_id($nextid);
if ($nextGroup) { if ($nextGroup) {
$page['message'] = getlocal2("chat.redirected.group.content", array(htmlspecialchars(topage(get_group_name($nextGroup))))); $page['message'] = getlocal2("chat.redirected.group.content", array(safe_htmlspecialchars(topage(get_group_name($nextGroup)))));
if ($thread['istate'] == $state_chatting) { if ($thread['istate'] == $state_chatting) {
$link = connect(); $link = connect();
commit_thread($threadid, commit_thread($threadid,
@ -60,7 +60,7 @@ if (isset($_GET['nextGroup'])) {
$nextOperator = operator_by_id($nextid); $nextOperator = operator_by_id($nextid);
if ($nextOperator) { if ($nextOperator) {
$page['message'] = getlocal2("chat.redirected.content", array(htmlspecialchars(topage(get_operator_name($nextOperator))))); $page['message'] = getlocal2("chat.redirected.content", array(safe_htmlspecialchars(topage(get_operator_name($nextOperator)))));
if ($thread['istate'] == $state_chatting) { if ($thread['istate'] == $state_chatting) {
$link = connect(); $link = connect();
$threadupdate = array("istate" => $state_waiting, "nextagent" => $nextid, "agentId" => 0); $threadupdate = array("istate" => $state_waiting, "nextagent" => $nextid, "agentId" => 0);

2
src/messenger/webim/operator/settings.php
View File

@ -69,7 +69,7 @@ if (isset($_POST['email']) && isset($_POST['title']) && isset($_POST['logo'])) {
if ($params['geolinkparams']) { if ($params['geolinkparams']) {
foreach (preg_split("/,/", $params['geolinkparams']) as $oneparam) { foreach (preg_split("/,/", $params['geolinkparams']) as $oneparam) {
if (!preg_match("/^\s*(toolbar|scrollbars|location|status|menubar|width|height|resizable)=\d{1,4}$/", $oneparam)) { if (!preg_match("/^\s*(toolbar|scrollbars|location|status|menubar|width|height|resizable)=\d{1,4}$/", $oneparam)) {
$errors[] = "Wrong link parameter: \"" . htmlspecialchars($oneparam) . "\", should be one of 'toolbar, scrollbars, location, status, menubar, width, height or resizable'"; $errors[] = "Wrong link parameter: \"" . safe_htmlspecialchars($oneparam) . "\", should be one of 'toolbar, scrollbars, location, status, menubar, width, height or resizable'";
} }
} }
} }

4
src/messenger/webim/operator/translate.php
View File

@ -189,9 +189,9 @@ if ($show == 's1') {
foreach ($allkeys as $key) { foreach ($allkeys as $key) {
if ($key != 'output_charset') { if ($key != 'output_charset') {
$tsource = htmlspecialchars($lang1[$key]); $tsource = safe_htmlspecialchars($lang1[$key]);
if (isset($lang2[$key])) { if (isset($lang2[$key])) {
$value = htmlspecialchars($lang2[$key]); $value = safe_htmlspecialchars($lang2[$key]);
if (get_auxiliary($lang2[$key]) != get_auxiliary($lang1[$key])) { if (get_auxiliary($lang2[$key]) != get_auxiliary($lang1[$key])) {
$value = "<font color=\"#6030c1\"><b>$value</b></font> <strong>(wrong formatting)</strong>"; $value = "<font color=\"#6030c1\"><b>$value</b></font> <strong>(wrong formatting)</strong>";
} }

28
src/messenger/webim/operator/update.php
View File

@ -24,7 +24,7 @@ require_once('../libs/groups.php');
$operator = get_logged_in(); $operator = get_logged_in();
if (!$operator) { if (!$operator) {
start_xml_output(); start_xml_output();
echo "<error><descr>" . htmlspecialchars(htmlspecialchars(myiconv($webim_encoding, "utf-8", escape_with_cdata(getstring("agent.not_logged_in"))))) . "</descr></error>"; echo "<error><descr>" . safe_htmlspecialchars(safe_htmlspecialchars(myiconv($webim_encoding, "utf-8", escape_with_cdata(getstring("agent.not_logged_in"))))) . "</descr></error>";
exit; exit;
} }
@ -51,7 +51,7 @@ function thread_to_xml($thread, $link)
$webim_encoding, $operator, $settings, $webim_encoding, $operator, $settings,
$can_viewthreads, $can_takeover, $mysqlprefix; $can_viewthreads, $can_takeover, $mysqlprefix;
$state = $threadstate_to_string[$thread['istate']]; $state = $threadstate_to_string[$thread['istate']];
$result = "<thread id=\"" . htmlspecialchars(htmlspecialchars($thread['threadid'])) . "\" stateid=\"$state\""; $result = "<thread id=\"" . safe_htmlspecialchars(safe_htmlspecialchars($thread['threadid'])) . "\" stateid=\"$state\"";
if ($state == "closed") if ($state == "closed")
return $result . "/>"; return $result . "/>";
@ -77,32 +77,32 @@ $can_viewthreads, $can_takeover, $mysqlprefix;
$banForThread = $settings['enableban'] == "1" ? ban_for_addr_($thread['remote'], $link) : false; $banForThread = $settings['enableban'] == "1" ? ban_for_addr_($thread['remote'], $link) : false;
if ($banForThread) { if ($banForThread) {
$result .= " ban=\"blocked\" banid=\"" . htmlspecialchars(htmlspecialchars($banForThread['banid'])) . "\""; $result .= " ban=\"blocked\" banid=\"" . safe_htmlspecialchars(safe_htmlspecialchars($banForThread['banid'])) . "\"";
} }
$result .= " state=\"$state\" typing=\"" . htmlspecialchars(htmlspecialchars($thread['userTyping'])) . "\">"; $result .= " state=\"$state\" typing=\"" . safe_htmlspecialchars(safe_htmlspecialchars($thread['userTyping'])) . "\">";
$result .= "<name>"; $result .= "<name>";
if ($banForThread) { if ($banForThread) {
$result .= htmlspecialchars(getstring('chat.client.spam.prefix')); $result .= safe_htmlspecialchars(getstring('chat.client.spam.prefix'));
} }
$result .= htmlspecialchars(htmlspecialchars(get_user_name($thread['userName'], $thread['remote'], $thread['userid']))) . "</name>"; $result .= safe_htmlspecialchars(safe_htmlspecialchars(get_user_name($thread['userName'], $thread['remote'], $thread['userid']))) . "</name>";
$result .= "<addr>" . htmlspecialchars(get_user_addr($thread['remote'])) . "</addr>"; $result .= "<addr>" . safe_htmlspecialchars(get_user_addr($thread['remote'])) . "</addr>";
$result .= "<agent>" . htmlspecialchars(htmlspecialchars($threadoperator)) . "</agent>"; $result .= "<agent>" . safe_htmlspecialchars(safe_htmlspecialchars($threadoperator)) . "</agent>";
$result .= "<time>" . htmlspecialchars(htmlspecialchars($thread['unix_timestamp(dtmcreated)'])) . "000</time>"; $result .= "<time>" . safe_htmlspecialchars(safe_htmlspecialchars($thread['unix_timestamp(dtmcreated)'])) . "000</time>";
$result .= "<modified>" . htmlspecialchars(htmlspecialchars($thread['unix_timestamp(dtmmodified)'])) . "000</modified>"; $result .= "<modified>" . safe_htmlspecialchars(safe_htmlspecialchars($thread['unix_timestamp(dtmmodified)'])) . "000</modified>";
if ($banForThread) { if ($banForThread) {
$result .= "<reason>" . htmlspecialchars(htmlspecialchars($banForThread['comment'])) . "</reason>"; $result .= "<reason>" . safe_htmlspecialchars(safe_htmlspecialchars($banForThread['comment'])) . "</reason>";
} }
$userAgent = get_useragent_version($thread['userAgent']); $userAgent = get_useragent_version($thread['userAgent']);
$result .= "<useragent>" . htmlspecialchars(htmlspecialchars($userAgent)) . "</useragent>"; $result .= "<useragent>" . safe_htmlspecialchars(safe_htmlspecialchars($userAgent)) . "</useragent>";
if ($thread["shownmessageid"] != 0) { if ($thread["shownmessageid"] != 0) {
$query = "select tmessage from ${mysqlprefix}chatmessage where messageid = " . $thread["shownmessageid"]; $query = "select tmessage from ${mysqlprefix}chatmessage where messageid = " . $thread["shownmessageid"];
$line = select_one_row($query, $link); $line = select_one_row($query, $link);
if ($line) { if ($line) {
$message = preg_replace("/[\r\n\t]+/", " ", $line["tmessage"]); $message = preg_replace("/[\r\n\t]+/", " ", $line["tmessage"]);
$result .= "<message>" . htmlspecialchars(htmlspecialchars($message)) . "</message>"; $result .= "<message>" . safe_htmlspecialchars(safe_htmlspecialchars($message)) . "</message>";
} }
} }
$result .= "</thread>"; $result .= "</thread>";
@ -156,7 +156,7 @@ function print_operators()
if (!operator_is_online($operator)) if (!operator_is_online($operator))
continue; continue;
$name = myiconv($webim_encoding, "utf-8", htmlspecialchars(htmlspecialchars($operator['vclocalename']))); $name = myiconv($webim_encoding, "utf-8", safe_htmlspecialchars(safe_htmlspecialchars($operator['vclocalename'])));
$away = operator_is_away($operator) ? " away=\"1\"" : ""; $away = operator_is_away($operator) ? " away=\"1\"" : "";
echo "<operator name=\"$name\"$away/>"; echo "<operator name=\"$name\"$away/>";

4
src/messenger/webim/view/agent.php
View File

@ -47,7 +47,7 @@ require_once('inc_errors.php');
<?php if( $page['opid'] || $page['canmodify'] ) { ?> <?php if( $page['opid'] || $page['canmodify'] ) { ?>
<form name="agentForm" method="post" action="<?php echo $webimroot ?>/operator/operator.php"> <form name="agentForm" method="post" action="<?php echo $webimroot ?>/operator/operator.php">
<?php print_csrf_token_input() ?> <?php print_csrf_token_input() ?>
<input type="hidden" name="opid" value="<?php echo htmlspecialchars($page['opid']) ?>"/> <input type="hidden" name="opid" value="<?php echo safe_htmlspecialchars($page['opid']) ?>"/>
<?php if(!$page['showjabber']) { ?> <?php if(!$page['showjabber']) { ?>
<input type="hidden" name="jabber" value="<?php echo form_value('jabber') ?>"/> <input type="hidden" name="jabber" value="<?php echo form_value('jabber') ?>"/>
<?php if(form_value_cb('jabbernotify')) { ?><input type="hidden" name="jabbernotify" value="on"/><?php } ?> <?php if(form_value_cb('jabbernotify')) { ?><input type="hidden" name="jabbernotify" value="on"/><?php } ?>
@ -133,7 +133,7 @@ require_once('inc_errors.php');
<?php if($page['canmodify']) { ?> <?php if($page['canmodify']) { ?>
<div class="fbutton"> <div class="fbutton">
<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/> <input type="image" name="save" value="" src="<?php echo $webimroot . safe_htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo safe_htmlspecialchars(getlocal("button.save")) ?>"/>
</div> </div>
<?php } ?> <?php } ?>
</div> </div>

10
src/messenger/webim/view/agents.php
View File

@ -38,7 +38,7 @@ require_once('inc_errors.php');
<?php if($page['canmodify']) { ?> <?php if($page['canmodify']) { ?>
<div class="tabletool"> <div class="tabletool">
<img src="<?php echo $webimroot ?>/images/buttons/createagent.gif" border="0" alt="" /> <img src="<?php echo $webimroot ?>/images/buttons/createagent.gif" border="0" alt="" />
<a href="<?php echo $webimroot ?>/operator/operator.php" title="<?php echo htmlspecialchars(getlocal("page_agents.new_agent")) ?>"> <a href="<?php echo $webimroot ?>/operator/operator.php" title="<?php echo safe_htmlspecialchars(getlocal("page_agents.new_agent")) ?>">
<?php echo getlocal("page_agents.new_agent") ?> <?php echo getlocal("page_agents.new_agent") ?>
</a> </a>
</div> </div>
@ -64,12 +64,12 @@ require_once('inc_errors.php');
<?php foreach( $page['allowedAgents'] as $a ) { ?> <?php foreach( $page['allowedAgents'] as $a ) { ?>
<tr> <tr>
<td class="notlast"> <td class="notlast">
<a id="ti<?php echo htmlspecialchars($a['operatorid']) ?>" href="<?php echo $webimroot ?>/operator/operator.php?op=<?php echo urlencode($a['operatorid']) ?>" class="man"> <a id="ti<?php echo safe_htmlspecialchars($a['operatorid']) ?>" href="<?php echo $webimroot ?>/operator/operator.php?op=<?php echo urlencode($a['operatorid']) ?>" class="man">
<?php echo htmlspecialchars(topage($a['vclogin'])) ?> <?php echo safe_htmlspecialchars(topage($a['vclogin'])) ?>
</a> </a>
</td> </td>
<td class="notlast"> <td class="notlast">
<?php echo htmlspecialchars(topage($a['vclocalename'])) ?> / <?php echo htmlspecialchars(topage($a['vccommonname'])) ?> <?php echo safe_htmlspecialchars(topage($a['vclocalename'])) ?> / <?php echo safe_htmlspecialchars(topage($a['vccommonname'])) ?>
</td> </td>
<td class="notlast"> <td class="notlast">
<?php if(operator_is_available($a)) { ?> <?php if(operator_is_available($a)) { ?>
@ -82,7 +82,7 @@ require_once('inc_errors.php');
</td> </td>
<?php if($page['canmodify']) { ?> <?php if($page['canmodify']) { ?>
<td> <td>
<a class="removelink" id="i<?php echo htmlspecialchars($a['operatorid']) ?>" href="<?php echo $webimroot ?>/operator/operators.php?act=del&amp;id=<?php echo urlencode($a['operatorid']) ?><?php print_csrf_token_in_url() ?>"> <a class="removelink" id="i<?php echo safe_htmlspecialchars($a['operatorid']) ?>" href="<?php echo $webimroot ?>/operator/operators.php?act=del&amp;id=<?php echo urlencode($a['operatorid']) ?><?php print_csrf_token_in_url() ?>">
remove remove
</a> </a>
</td> </td>

8
src/messenger/webim/view/avatar.php
View File

@ -33,13 +33,13 @@ require_once('inc_errors.php');
<form name="avatarForm" method="post" action="<?php echo $webimroot ?>/operator/avatar.php" enctype="multipart/form-data"> <form name="avatarForm" method="post" action="<?php echo $webimroot ?>/operator/avatar.php" enctype="multipart/form-data">
<?php print_csrf_token_input() ?> <?php print_csrf_token_input() ?>
<input type="hidden" name="op" value="<?php echo htmlspecialchars($page['opid']) ?>"/> <input type="hidden" name="op" value="<?php echo safe_htmlspecialchars($page['opid']) ?>"/>
<div> <div>
<?php print_tabbar(); ?> <?php print_tabbar(); ?>
<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner"> <div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
<p> <p>
<b><?php echo htmlspecialchars($page['currentop']) ?>&lrm;</b> <b><?php echo safe_htmlspecialchars($page['currentop']) ?>&lrm;</b>
</p> </p>
<div class="fieldForm"> <div class="fieldForm">
@ -48,7 +48,7 @@ require_once('inc_errors.php');
<div class="field"> <div class="field">
<div class="flabel"><?php echo getlocal('form.field.avatar.current') ?></div> <div class="flabel"><?php echo getlocal('form.field.avatar.current') ?></div>
<div class="fvalue"> <div class="fvalue">
<img src="<?php echo htmlspecialchars($page['avatar']) ?>" alt="cannot load avatar"/><br/> <img src="<?php echo safe_htmlspecialchars($page['avatar']) ?>" alt="cannot load avatar"/><br/>
<?php if($page['canmodify']) { ?> <?php if($page['canmodify']) { ?>
<a class="formauth" href="<?php echo $webimroot ?>/operator/avatar.php?op=<?php echo urlencode($page['opid']) ?>&amp;delete=true"> <a class="formauth" href="<?php echo $webimroot ?>/operator/avatar.php?op=<?php echo urlencode($page['opid']) ?>&amp;delete=true">
<?php echo getlocal("page_agent.clear_avatar") ?> <?php echo getlocal("page_agent.clear_avatar") ?>
@ -77,7 +77,7 @@ require_once('inc_errors.php');
</div> </div>
<div class="fbutton"> <div class="fbutton">
<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/> <input type="image" name="save" value="" src="<?php echo $webimroot . safe_htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo safe_htmlspecialchars(getlocal("button.save")) ?>"/>
</div> </div>
<?php } ?> <?php } ?>
</div> </div>

10
src/messenger/webim/view/ban.php
View File

@ -21,7 +21,7 @@ function tpl_content() { global $page, $webimroot, $errors;
?> ?>
<?php if( $page['saved'] ) { ?> <?php if( $page['saved'] ) { ?>
<?php echo getlocal2("page_ban.sent",array(htmlspecialchars($page['address']))) ?> <?php echo getlocal2("page_ban.sent",array(safe_htmlspecialchars($page['address']))) ?>
<script type="text/javascript"><!-- <script type="text/javascript"><!--
setTimeout( (function() { window.close(); }), 1500 ); setTimeout( (function() { window.close(); }), 1500 );
@ -37,15 +37,15 @@ require_once('inc_errors.php');
<?php if( $page['thread'] ) { ?> <?php if( $page['thread'] ) { ?>
<?php echo getlocal2("page_ban.thread",array(htmlspecialchars($page['thread']))) ?><br/> <?php echo getlocal2("page_ban.thread",array(safe_htmlspecialchars($page['thread']))) ?><br/>
<br/> <br/>
<?php } ?> <?php } ?>
<form name="banForm" method="post" action="<?php echo $webimroot ?>/operator/ban.php"> <form name="banForm" method="post" action="<?php echo $webimroot ?>/operator/ban.php">
<?php print_csrf_token_input() ?> <?php print_csrf_token_input() ?>
<input type="hidden" name="banId" value="<?php echo htmlspecialchars($page['banId']) ?>"/> <input type="hidden" name="banId" value="<?php echo safe_htmlspecialchars($page['banId']) ?>"/>
<?php if( $page['threadid'] ) { ?> <?php if( $page['threadid'] ) { ?>
<input type="hidden" name="threadid" value="<?php echo htmlspecialchars($page['threadid']) ?>"/> <input type="hidden" name="threadid" value="<?php echo safe_htmlspecialchars($page['threadid']) ?>"/>
<?php } ?> <?php } ?>
<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner"> <div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
@ -78,7 +78,7 @@ require_once('inc_errors.php');
</div> </div>
<div class="fbutton"> <div class="fbutton">
<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/> <input type="image" name="save" value="" src="<?php echo $webimroot . safe_htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo safe_htmlspecialchars(getlocal("button.save")) ?>"/>
</div> </div>
</div> </div>

12
src/messenger/webim/view/blocked_visitors.php
View File

@ -37,7 +37,7 @@ require_once('inc_errors.php');
<div class="tabletool"> <div class="tabletool">
<img src="<?php echo $webimroot ?>/images/buttons/createban.gif" border="0" alt=""/> <img src="<?php echo $webimroot ?>/images/buttons/createban.gif" border="0" alt=""/>
<a href="<?php echo $webimroot ?>/operator/ban.php" title="<?php echo htmlspecialchars(getlocal("page_bans.add")) ?>"> <a href="<?php echo $webimroot ?>/operator/ban.php" title="<?php echo safe_htmlspecialchars(getlocal("page_bans.add")) ?>">
<?php echo getlocal("page_bans.add") ?> <?php echo getlocal("page_bans.add") ?>
</a> </a>
</div> </div>
@ -64,8 +64,8 @@ if( $page['pagination.items'] ) {
foreach( $page['pagination.items'] as $b ) { ?> foreach( $page['pagination.items'] as $b ) { ?>
<tr> <tr>
<td class="notlast"> <td class="notlast">
<a href="ban.php?id=<?php echo urlencode($b['banid']) ?>" class="man" id="ti<?php echo htmlspecialchars($b['banid']) ?>"> <a href="ban.php?id=<?php echo urlencode($b['banid']) ?>" class="man" id="ti<?php echo safe_htmlspecialchars($b['banid']) ?>">
<?php echo htmlspecialchars($b['address']) ?> <?php echo safe_htmlspecialchars($b['address']) ?>
</a> </a>
</td> </td>
<td class="notlast"> <td class="notlast">
@ -74,14 +74,14 @@ if( $page['pagination.items'] ) {
<td> <td>
<?php <?php
if( strlen(topage($b['comment'])) > 30 ) { if( strlen(topage($b['comment'])) > 30 ) {
echo htmlspecialchars(substr(topage($b['comment']),0,30)); echo safe_htmlspecialchars(substr(topage($b['comment']),0,30));
} else { } else {
echo htmlspecialchars(topage($b['comment'])); echo safe_htmlspecialchars(topage($b['comment']));
} }
?> ?>
</td> </td>
<td> <td>
<a class="removelink" id="i<?php echo htmlspecialchars($b['banid']) ?>" href="<?php echo $webimroot ?>/operator/blocked.php?act=del&amp;id=<?php echo urlencode($b['banid']) ?><?php print_csrf_token_in_url() ?>"> <a class="removelink" id="i<?php echo safe_htmlspecialchars($b['banid']) ?>" href="<?php echo $webimroot ?>/operator/blocked.php?act=del&amp;id=<?php echo urlencode($b['banid']) ?><?php print_csrf_token_in_url() ?>">
remove remove
</a> </a>
</td> </td>

6
src/messenger/webim/view/canned.php
View File

@ -37,7 +37,7 @@ require_once('inc_errors.php');
<?php echo getlocal("canned.locale") ?><br/> <?php echo getlocal("canned.locale") ?><br/>
<select name="lang" onchange="this.form.submit();"><?php <select name="lang" onchange="this.form.submit();"><?php
foreach($page['locales'] as $k) { foreach($page['locales'] as $k) {
echo "<option value=\"" . htmlspecialchars($k["id"]) . "\"".($k["id"] == form_value("lang") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k["name"]) . "</option>"; echo "<option value=\"" . safe_htmlspecialchars($k["id"]) . "\"".($k["id"] == form_value("lang") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($k["name"]) . "</option>";
} ?></select> } ?></select>
</div> </div>
@ -46,7 +46,7 @@ require_once('inc_errors.php');
<?php echo getlocal("canned.group") ?><br/> <?php echo getlocal("canned.group") ?><br/>
<select name="group" onchange="this.form.submit();"><?php <select name="group" onchange="this.form.submit();"><?php
foreach($page['groups'] as $k) { foreach($page['groups'] as $k) {
echo "<option value=\"" . htmlspecialchars($k["groupid"]) . "\"".($k["groupid"] == form_value("group") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k["vclocalname"]) . "</option>"; echo "<option value=\"" . safe_htmlspecialchars($k["groupid"]) . "\"".($k["groupid"] == form_value("group") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($k["vclocalname"]) . "</option>";
} ?></select> } ?></select>
</div> </div>
<?php } ?> <?php } ?>
@ -82,7 +82,7 @@ if( $page['pagination.items'] ) {
foreach( $page['pagination.items'] as $localstr ) { ?> foreach( $page['pagination.items'] as $localstr ) { ?>
<tr> <tr>
<td> <td>
<?php echo str_replace("\n", "<br/>",htmlspecialchars(topage($localstr['vcvalue']))) ?> <?php echo str_replace("\n", "<br/>",safe_htmlspecialchars(topage($localstr['vcvalue']))) ?>
</td> </td>
<td> <td>
<a href="<?php echo $webimroot ?>/operator/cannededit.php?key=<?php echo urlencode($localstr['id']) ?>" target="_blank" <a href="<?php echo $webimroot ?>/operator/cannededit.php?key=<?php echo urlencode($localstr['id']) ?>" target="_blank"

8
src/messenger/webim/view/cannededit.php
View File

@ -41,10 +41,10 @@ require_once('inc_errors.php');
<form name="cannedForm" method="post" action="<?php echo $webimroot ?>/operator/cannededit.php"> <form name="cannedForm" method="post" action="<?php echo $webimroot ?>/operator/cannededit.php">
<?php print_csrf_token_input() ?> <?php print_csrf_token_input() ?>
<input type="hidden" name="key" value="<?php echo htmlspecialchars($page['key']) ?>"/> <input type="hidden" name="key" value="<?php echo safe_htmlspecialchars($page['key']) ?>"/>
<?php if(!$page['key']) { ?> <?php if(!$page['key']) { ?>
<input type="hidden" name="lang" value="<?php echo htmlspecialchars($page['locale']) ?>"/> <input type="hidden" name="lang" value="<?php echo safe_htmlspecialchars($page['locale']) ?>"/>
<input type="hidden" name="group" value="<?php echo htmlspecialchars($page['groupid']) ?>"/> <input type="hidden" name="group" value="<?php echo safe_htmlspecialchars($page['groupid']) ?>"/>
<?php } ?> <?php } ?>
<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner"> <div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
@ -57,7 +57,7 @@ require_once('inc_errors.php');
</div> </div>
<div class="fbutton"> <div class="fbutton">
<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/> <input type="image" name="save" value="" src="<?php echo $webimroot . safe_htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo safe_htmlspecialchars(getlocal("button.save")) ?>"/>
</div> </div>
</div> </div>

8
src/messenger/webim/view/confirm.php
View File

@ -23,16 +23,16 @@ function tpl_content() { global $page, $webimroot;
<div id="confirmpane"> <div id="confirmpane">
<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner"> <div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
<?php echo getlocal2("confirm.take.message",array(htmlspecialchars($page['user']), htmlspecialchars($page['agent']))) ?><br/><br/> <?php echo getlocal2("confirm.take.message",array(safe_htmlspecialchars($page['user']), safe_htmlspecialchars($page['agent']))) ?><br/><br/>
<br/> <br/>
<div> <div>
<table class="nicebutton"><tr> <table class="nicebutton"><tr>
<td><a href="<?php echo htmlspecialchars($page['link']) ?>"> <td><a href="<?php echo safe_htmlspecialchars($page['link']) ?>">
<img src="<?php echo $webimroot ?>/images/submit.gif" width="40" height="35" border="0" alt="" /></a></td> <img src="<?php echo $webimroot ?>/images/submit.gif" width="40" height="35" border="0" alt="" /></a></td>
<td class="submit"><a href="<?php echo htmlspecialchars($page['link']) ?>"> <td class="submit"><a href="<?php echo safe_htmlspecialchars($page['link']) ?>">
<?php echo getlocal("confirm.take.yes") ?></a></td> <?php echo getlocal("confirm.take.yes") ?></a></td>
<td><a href="<?php echo htmlspecialchars($page['link']) ?>"> <td><a href="<?php echo safe_htmlspecialchars($page['link']) ?>">
<img src="<?php echo $webimroot ?>/images/submitrest.gif" width="10" height="35" border="0" alt="" /></a></td> <img src="<?php echo $webimroot ?>/images/submitrest.gif" width="10" height="35" border="0" alt="" /></a></td>
</tr></table> </tr></table>

2
src/messenger/webim/view/features.php
View File

@ -213,7 +213,7 @@ require_once('inc_errors.php');
<?php if($page['canmodify']) { ?> <?php if($page['canmodify']) { ?>
<div class="fbutton"> <div class="fbutton">
<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/> <input type="image" name="save" value="" src="<?php echo $webimroot . safe_htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo safe_htmlspecialchars(getlocal("button.save")) ?>"/>
</div> </div>
<?php } ?> <?php } ?>
</div> </div>

10
src/messenger/webim/view/getcode_image.php
View File

@ -41,7 +41,7 @@ require_once('inc_errors.php');
<div class="fieldinrow"> <div class="fieldinrow">
<div class="flabel"><?php echo getlocal("page.gen_button.choose_locale") ?></div> <div class="flabel"><?php echo getlocal("page.gen_button.choose_locale") ?></div>
<div class="fvaluenodesc"> <div class="fvaluenodesc">
<select name="lang" onchange="this.form.submit();"><?php foreach($page['availableLocales'] as $k) { echo "<option value=\"" . htmlspecialchars($k) . "\"" . ($k == form_value("lang") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k) . "</option>"; } ?></select> <select name="lang" onchange="this.form.submit();"><?php foreach($page['availableLocales'] as $k) { echo "<option value=\"" . safe_htmlspecialchars($k) . "\"" . ($k == form_value("lang") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($k) . "</option>"; } ?></select>
</div> </div>
</div> </div>
@ -49,7 +49,7 @@ require_once('inc_errors.php');
<div class="fieldinrow"> <div class="fieldinrow">
<div class="flabel"><?php echo getlocal("page.gen_button.choose_group") ?></div> <div class="flabel"><?php echo getlocal("page.gen_button.choose_group") ?></div>
<div class="fvaluenodesc"> <div class="fvaluenodesc">
<select name="group" onchange="this.form.submit();"><?php foreach($page['groups'] as $k) { echo "<option value=\"" . htmlspecialchars($k['groupid']) . "\"".($k['groupid'] == form_value("group") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k['vclocalname']) . "</option>"; } ?></select> <select name="group" onchange="this.form.submit();"><?php foreach($page['groups'] as $k) { echo "<option value=\"" . safe_htmlspecialchars($k['groupid']) . "\"".($k['groupid'] == form_value("group") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($k['vclocalname']) . "</option>"; } ?></select>
</div> </div>
</div> </div>
<?php } ?> <?php } ?>
@ -58,14 +58,14 @@ require_once('inc_errors.php');
<div class="fieldinrow"> <div class="fieldinrow">
<div class="flabel"><?php echo getlocal("page.gen_button.choose_image") ?></div> <div class="flabel"><?php echo getlocal("page.gen_button.choose_image") ?></div>
<div class="fvaluenodesc"> <div class="fvaluenodesc">
<select name="i" onchange="this.form.submit();"><?php foreach($page['availableImages'] as $k) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("image") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k) . "</option>"; } ?></select> <select name="i" onchange="this.form.submit();"><?php foreach($page['availableImages'] as $k) { echo "<option value=\"" . safe_htmlspecialchars($k) . "\"".($k == form_value("image") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($k) . "</option>"; } ?></select>
</div> </div>
</div> </div>
<div class="fieldinrow"> <div class="fieldinrow">
<div class="flabel"><?php echo getlocal("page.gen_button.choose_style") ?></div> <div class="flabel"><?php echo getlocal("page.gen_button.choose_style") ?></div>
<div class="fvaluenodesc"> <div class="fvaluenodesc">
<select name="style" onchange="this.form.submit();"><?php foreach($page['availableStyles'] as $k => $v) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("style") ? " selected=\"selected\"" : "").">" . htmlspecialchars($v) . "</option>"; } ?></select> <select name="style" onchange="this.form.submit();"><?php foreach($page['availableStyles'] as $k => $v) { echo "<option value=\"" . safe_htmlspecialchars($k) . "\"".($k == form_value("style") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($v) . "</option>"; } ?></select>
</div> </div>
</div> </div>
<br clear="all"/> <br clear="all"/>
@ -98,7 +98,7 @@ require_once('inc_errors.php');
<div class="field"> <div class="field">
<div class="flabel"><?php echo getlocal("page.gen_button.code") ?></div> <div class="flabel"><?php echo getlocal("page.gen_button.code") ?></div>
<div class="fvaluewithta" dir="ltr"> <div class="fvaluewithta" dir="ltr">
<textarea cols="44" rows="15"><?php echo htmlspecialchars($page['buttonCode']) ?></textarea> <textarea cols="44" rows="15"><?php echo safe_htmlspecialchars($page['buttonCode']) ?></textarea>
</div> </div>
<div class="fdescr"><?php echo getlocal("page.gen_button.code.description") ?></div> <div class="fdescr"><?php echo getlocal("page.gen_button.code.description") ?></div>
<br clear="all"/> <br clear="all"/>

8
src/messenger/webim/view/getcode_text.php
View File

@ -41,7 +41,7 @@ require_once('inc_errors.php');
<div class="fieldinrow"> <div class="fieldinrow">
<div class="flabel"><?php echo getlocal("page.gen_button.choose_locale") ?></div> <div class="flabel"><?php echo getlocal("page.gen_button.choose_locale") ?></div>
<div class="fvaluenodesc"> <div class="fvaluenodesc">
<select name="lang" onchange="this.form.submit();"><?php foreach($page['availableLocales'] as $k) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("lang") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k) . "</option>"; } ?></select> <select name="lang" onchange="this.form.submit();"><?php foreach($page['availableLocales'] as $k) { echo "<option value=\"" . safe_htmlspecialchars($k) . "\"".($k == form_value("lang") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($k) . "</option>"; } ?></select>
</div> </div>
</div> </div>
@ -49,7 +49,7 @@ require_once('inc_errors.php');
<div class="fieldinrow"> <div class="fieldinrow">
<div class="flabel"><?php echo getlocal("page.gen_button.choose_group") ?></div> <div class="flabel"><?php echo getlocal("page.gen_button.choose_group") ?></div>
<div class="fvaluenodesc"> <div class="fvaluenodesc">
<select name="group" onchange="this.form.submit();"><?php foreach($page['groups'] as $k) { echo "<option value=\"" . htmlspecialchars($k['groupid']) . "\"".($k['groupid'] == form_value("group") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k['vclocalname']) . "</option>"; } ?></select> <select name="group" onchange="this.form.submit();"><?php foreach($page['groups'] as $k) { echo "<option value=\"" . safe_htmlspecialchars($k['groupid']) . "\"".($k['groupid'] == form_value("group") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($k['vclocalname']) . "</option>"; } ?></select>
</div> </div>
</div> </div>
<?php } ?> <?php } ?>
@ -58,7 +58,7 @@ require_once('inc_errors.php');
<div class="fieldinrow"> <div class="fieldinrow">
<div class="flabel"><?php echo getlocal("page.gen_button.choose_style") ?></div> <div class="flabel"><?php echo getlocal("page.gen_button.choose_style") ?></div>
<div class="fvaluenodesc"> <div class="fvaluenodesc">
<select name="style" onchange="this.form.submit();"><?php foreach($page['availableStyles'] as $k => $v) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("style") ? " selected=\"selected\"" : "").">" . htmlspecialchars($v) . "</option>"; } ?></select> <select name="style" onchange="this.form.submit();"><?php foreach($page['availableStyles'] as $k => $v) { echo "<option value=\"" . safe_htmlspecialchars($k) . "\"".($k == form_value("style") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($v) . "</option>"; } ?></select>
</div> </div>
</div> </div>
<br clear="all"/> <br clear="all"/>
@ -91,7 +91,7 @@ require_once('inc_errors.php');
<div class="field"> <div class="field">
<div class="flabel"><?php echo getlocal("page.gen_button.code") ?></div> <div class="flabel"><?php echo getlocal("page.gen_button.code") ?></div>
<div class="fvaluewithta" dir="ltr"> <div class="fvaluewithta" dir="ltr">
<textarea cols="44" rows="15"><?php echo htmlspecialchars($page['buttonCode']) ?></textarea> <textarea cols="44" rows="15"><?php echo safe_htmlspecialchars($page['buttonCode']) ?></textarea>
</div> </div>
<div class="fdescr"><?php echo getlocal("page.gen_button.code.description") ?></div> <div class="fdescr"><?php echo getlocal("page.gen_button.code.description") ?></div>
<br clear="all"/> <br clear="all"/>

4
src/messenger/webim/view/group.php
View File

@ -41,7 +41,7 @@ require_once('inc_errors.php');
<form name="groupForm" method="post" action="<?php echo $webimroot ?>/operator/group.php"> <form name="groupForm" method="post" action="<?php echo $webimroot ?>/operator/group.php">
<?php print_csrf_token_input() ?> <?php print_csrf_token_input() ?>
<input type="hidden" name="gid" value="<?php echo htmlspecialchars($page['grid']) ?>"/> <input type="hidden" name="gid" value="<?php echo safe_htmlspecialchars($page['grid']) ?>"/>
<div> <div>
<?php print_tabbar(); ?> <?php print_tabbar(); ?>
<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner"> <div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
@ -93,7 +93,7 @@ require_once('inc_errors.php');
</div> </div>
<div class="fbutton"> <div class="fbutton">
<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/> <input type="image" name="save" value="" src="<?php echo $webimroot . safe_htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo safe_htmlspecialchars(getlocal("button.save")) ?>"/>
</div> </div>
</div> </div>

16
src/messenger/webim/view/groupmembers.php
View File

@ -24,38 +24,38 @@ $page['menuid'] = "groups";
function tpl_content() { global $page, $webimroot, $errors; function tpl_content() { global $page, $webimroot, $errors;
?> ?>
<?php echo htmlspecialchars(getlocal("page.groupmembers.intro")) ?> <?php echo safe_htmlspecialchars(getlocal("page.groupmembers.intro")) ?>
<br /> <br />
<br /> <br />
<?php <?php
require_once('inc_errors.php'); require_once('inc_errors.php');
?> ?>
<?php if( $page['stored'] ) { ?> <?php if( $page['stored'] ) { ?>
<div id="formmessage"><?php echo htmlspecialchars(getlocal("data.saved")) ?></div> <div id="formmessage"><?php echo safe_htmlspecialchars(getlocal("data.saved")) ?></div>
<?php } ?> <?php } ?>
<form name="membersForm" method="post" action="<?php echo $webimroot ?>/operator/groupmembers.php"> <form name="membersForm" method="post" action="<?php echo $webimroot ?>/operator/groupmembers.php">
<?php print_csrf_token_input() ?> <?php print_csrf_token_input() ?>
<input type="hidden" name="gid" value="<?php echo htmlspecialchars($page['groupid']) ?>"/> <input type="hidden" name="gid" value="<?php echo safe_htmlspecialchars($page['groupid']) ?>"/>
<div> <div>
<?php print_tabbar(); ?> <?php print_tabbar(); ?>
<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner"> <div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
<p> <p>
<b><?php echo htmlspecialchars($page['currentgroup']) ?></b> <b><?php echo safe_htmlspecialchars($page['currentgroup']) ?></b>
</p> </p>
<?php foreach( $page['operators'] as $pm ) { ?> <?php foreach( $page['operators'] as $pm ) { ?>
<div class="field"> <div class="field">
<div class="fvaluenodesc"> <div class="fvaluenodesc">
<input type="checkbox" name="op<?php echo htmlspecialchars($pm['operatorid']) ?>" value="on"<?php echo form_value_mb('op',$pm['operatorid']) ? " checked=\"checked\"" : "" ?>/> <input type="checkbox" name="op<?php echo safe_htmlspecialchars($pm['operatorid']) ?>" value="on"<?php echo form_value_mb('op',$pm['operatorid']) ? " checked=\"checked\"" : "" ?>/>
<?php echo htmlspecialchars(topage($pm['vclocalename'])) ?> (<a href="operator.php?op=<?php echo urlencode($pm['operatorid']) ?>" <?php echo safe_htmlspecialchars(topage($pm['vclocalename'])) ?> (<a href="operator.php?op=<?php echo urlencode($pm['operatorid']) ?>"
><?php echo htmlspecialchars(topage($pm['vclogin'])) ?></a>) ><?php echo safe_htmlspecialchars(topage($pm['vclogin'])) ?></a>)
</div> </div>
</div> </div>
<?php } ?> <?php } ?>
<div class="fbutton"> <div class="fbutton">
<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/> <input type="image" name="save" value="" src="<?php echo $webimroot . safe_htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo safe_htmlspecialchars(getlocal("button.save")) ?>"/>
</div> </div>
</div><div class="formbottom"><div class="formbottomi"></div></div></div> </div><div class="formbottom"><div class="formbottomi"></div></div></div>

10
src/messenger/webim/view/groups.php
View File

@ -68,12 +68,12 @@ if(count($page['groups']) > 0) {
foreach( $page['groups'] as $grp ) { ?> foreach( $page['groups'] as $grp ) { ?>
<tr> <tr>
<td class="notlast"> <td class="notlast">
<a href="<?php echo $webimroot ?>/operator/group.php?gid=<?php echo urlencode($grp['groupid']) ?>" id="ti<?php echo htmlspecialchars($grp['groupid']) ?>" class="man"> <a href="<?php echo $webimroot ?>/operator/group.php?gid=<?php echo urlencode($grp['groupid']) ?>" id="ti<?php echo safe_htmlspecialchars($grp['groupid']) ?>" class="man">
<?php echo htmlspecialchars(topage($grp['vclocalname'])) ?> <?php echo safe_htmlspecialchars(topage($grp['vclocalname'])) ?>
</a> </a>
</td> </td>
<td class="notlast"> <td class="notlast">
<?php echo $grp['vclocaldescription'] ? htmlspecialchars(topage($grp['vclocaldescription'])) : "&lt;none&gt;" ?> <?php echo $grp['vclocaldescription'] ? safe_htmlspecialchars(topage($grp['vclocaldescription'])) : "&lt;none&gt;" ?>
</td> </td>
<td class="notlast"> <td class="notlast">
<?php if(is_online($grp)) { ?> <?php if(is_online($grp)) { ?>
@ -86,12 +86,12 @@ if(count($page['groups']) > 0) {
</td> </td>
<td> <td>
<a href="<?php echo $webimroot ?>/operator/groupmembers.php?gid=<?php echo urlencode($grp['groupid']) ?>"> <a href="<?php echo $webimroot ?>/operator/groupmembers.php?gid=<?php echo urlencode($grp['groupid']) ?>">
<?php echo htmlspecialchars(topage($grp['inumofagents'])) ?> <?php echo safe_htmlspecialchars(topage($grp['inumofagents'])) ?>
</a> </a>
</td> </td>
<?php if($page['canmodify']) { ?> <?php if($page['canmodify']) { ?>
<td> <td>
<a href="<?php echo $webimroot ?>/operator/groups.php?act=del&amp;gid=<?php echo urlencode($grp['groupid']) ?><?php print_csrf_token_in_url() ?>" id="i<?php echo htmlspecialchars($grp['groupid']) ?>" class="removelink"> <a href="<?php echo $webimroot ?>/operator/groups.php?act=del&amp;gid=<?php echo urlencode($grp['groupid']) ?><?php print_csrf_token_in_url() ?>" id="i<?php echo safe_htmlspecialchars($grp['groupid']) ?>" class="removelink">
remove remove
</a> </a>
</td> </td>

2
src/messenger/webim/view/inc_locales.php
View File

@ -28,7 +28,7 @@ function tpl_menu() { global $page, $webimroot, $errors, $current_locale;
<h2><b><?php echo getlocal("lang.choose") ?></b></h2> <h2><b><?php echo getlocal("lang.choose") ?></b></h2>
<ul class="locales"> <ul class="locales">
<?php foreach($page['localeLinks'] as $id => $title) { ?> <?php foreach($page['localeLinks'] as $id => $title) { ?>
<li<?php menuloc($id)?> ><a href="?locale=<?php echo urlencode($id) ?>"><?php echo htmlspecialchars($title) ?></a></li> <li<?php menuloc($id)?> ><a href="?locale=<?php echo urlencode($id) ?>"><?php echo safe_htmlspecialchars($title) ?></a></li>
<?php } ?> <?php } ?>
</ul> </ul>
</li> </li>

8
src/messenger/webim/view/inc_main.php
View File

@ -27,7 +27,7 @@ $isrtl = getlocal("localedirection") == 'rtl';
tpl_header(); tpl_header();
?> ?>
<title> <title>
<?php echo htmlspecialchars($page['title']) ?> - <?php echo getlocal("app.title") ?> <?php echo safe_htmlspecialchars($page['title']) ?> - <?php echo getlocal("app.title") ?>
</title> </title>
<link href="<?php echo $webimroot ?>/default.css" rel="stylesheet" type="text/css" /> <link href="<?php echo $webimroot ?>/default.css" rel="stylesheet" type="text/css" />
<!--[if lte IE 6]><script language="JavaScript" type="text/javascript" src="<?php echo $webimroot ?>/<?php echo jspath() ?>/ie.js"></script><![endif]--> <!--[if lte IE 6]><script language="JavaScript" type="text/javascript" src="<?php echo $webimroot ?>/<?php echo jspath() ?>/ie.js"></script><![endif]-->
@ -37,10 +37,10 @@ $isrtl = getlocal("localedirection") == 'rtl';
<div id="header"> <div id="header">
<div id="title"> <div id="title">
<h1><img src="<?php echo $webimroot ?>/images/logo.gif" alt="" width="32" height="32" class="left" /> <h1><img src="<?php echo $webimroot ?>/images/logo.gif" alt="" width="32" height="32" class="left" />
<a href="#"><?php echo isset($page['headertitle']) ? htmlspecialchars($page['headertitle']) : htmlspecialchars($page['title']) ?></a></h1> <a href="#"><?php echo isset($page['headertitle']) ? safe_htmlspecialchars($page['headertitle']) : safe_htmlspecialchars($page['title']) ?></a></h1>
</div> </div>
<?php if(isset($page) && isset($page['operator'])) { ?> <?php if(isset($page) && isset($page['operator'])) { ?>
<div id="path"><p><?php echo getlocal2("menu.operator",array(htmlspecialchars($page['operator']))) ?></p></div> <div id="path"><p><?php echo getlocal2("menu.operator",array(safe_htmlspecialchars($page['operator']))) ?></p></div>
<?php } else if(isset($page) && isset($page['show_small_login'])) { ?> <?php } else if(isset($page) && isset($page['show_small_login'])) { ?>
<div id="loginsmallpane"> <div id="loginsmallpane">
<form name="smallLogin" method="post" action="<?php echo $webimroot ?>/operator/login.php"> <form name="smallLogin" method="post" action="<?php echo $webimroot ?>/operator/login.php">
@ -83,7 +83,7 @@ $isrtl = getlocal("localedirection") == 'rtl';
<div class="empty_inner" style="">&#160;</div> <div class="empty_inner" style="">&#160;</div>
</div> </div>
<div id="footer"> <div id="footer">
<p id="legal"><a href="http://mibew.org/" target="_blank" class="flink">Mibew Messenger</a> <?php echo htmlspecialchars($version) ?> | (c) 2011-2013 mibew.org</p> <p id="legal"><a href="http://mibew.org/" target="_blank" class="flink">Mibew Messenger</a> <?php echo safe_htmlspecialchars($version) ?> | (c) 2011-2013 mibew.org</p>
</div> </div>
</body> </body>
</html> </html>

4
src/messenger/webim/view/inc_tabbar.php
View File

@ -25,8 +25,8 @@ function print_tabbar($maxwidth = 4) {
$tabbar2 = array(); $tabbar2 = array();
for($i = 0; $i < $len; $i++) { for($i = 0; $i < $len; $i++) {
$tabbar2[] = $i != $selected $tabbar2[] = $i != $selected
? "<li><a href=\"" . htmlspecialchars($tabbar[$i]['link']) . "\">" . htmlspecialchars($tabbar[$i]['title']) . "</a></li>\n" ? "<li><a href=\"" . safe_htmlspecialchars($tabbar[$i]['link']) . "\">" . safe_htmlspecialchars($tabbar[$i]['title']) . "</a></li>\n"
: "<li class=\"active\"><a href=\"#\">" . htmlspecialchars($tabbar[$i]['title']) . "</a></li>\n"; : "<li class=\"active\"><a href=\"#\">" . safe_htmlspecialchars($tabbar[$i]['title']) . "</a></li>\n";
} }
if($len > $maxwidth) { // && $len - $selected > $maxwidth if($len > $maxwidth) { // && $len - $selected > $maxwidth

2
src/messenger/webim/view/login.php
View File

@ -72,7 +72,7 @@ require_once('inc_errors.php');
</div> </div>
<div class="fbutton"> <div class="fbutton">
<input type="image" name="login" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.login")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.enter")) ?>"/> <input type="image" name="login" src="<?php echo $webimroot . safe_htmlspecialchars(getlocal("image.button.login")) ?>" alt="<?php echo safe_htmlspecialchars(getlocal("button.enter")) ?>"/>
<div class="links"> <div class="links">
<a href="<?php echo $webimroot ?>/operator/restore.php"><?php echo getlocal("restore.pwd.message") ?></a><br/> <a href="<?php echo $webimroot ?>/operator/restore.php"><?php echo getlocal("restore.pwd.message") ?></a><br/>

10
src/messenger/webim/view/menu.php
View File

@ -40,13 +40,13 @@ function tpl_content() { global $page, $webimroot, $current_locale, $menuItemsCo
<br/> <br/>
<?php if( $page['needChangePassword'] ) { ?> <?php if( $page['needChangePassword'] ) { ?>
<div id="formmessage"><?php echo getlocal("error.no_password") ?> <?php echo getlocal2("error.no_password.visit_profile", array(htmlspecialchars($page['profilePage']))) ?></div> <div id="formmessage"><?php echo getlocal("error.no_password") ?> <?php echo getlocal2("error.no_password.visit_profile", array(safe_htmlspecialchars($page['profilePage']))) ?></div>
<br/> <br/>
<?php } else if( $page['needUpdate'] ) { ?> <?php } else if( $page['needUpdate'] ) { ?>
<div id="formmessage"><?php echo getlocal2("install.updatedb",array(htmlspecialchars($page['updateWizard']))) ?></div> <div id="formmessage"><?php echo getlocal2("install.updatedb",array(safe_htmlspecialchars($page['updateWizard']))) ?></div>
<br/> <br/>
<?php } else if($page['newFeatures']) { ?> <?php } else if($page['newFeatures'] ) { ?>
<div><div id="formmessage"><?php echo getlocal2("install.newfeatures",array(htmlspecialchars($page['featuresPage'], $version))) ?></div></div> <div><div id="formmessage"><?php echo getlocal2("install.newfeatures",array(safe_htmlspecialchars($page['featuresPage']), safe_htmlspecialchars($version))) ?></div></div>
<br/> <br/>
<?php } ?> <?php } ?>
@ -188,7 +188,7 @@ $menuItemsCount = 2;
<b><?php echo getlocal("lang.choose") ?></b></h2> <b><?php echo getlocal("lang.choose") ?></b></h2>
<ul class="locales"> <ul class="locales">
<?php foreach($page['localeLinks'] as $id => $title) { ?> <?php foreach($page['localeLinks'] as $id => $title) { ?>
<li<?php echo $current_locale == $id ? " class=\"active\"" : "" ?> ><a href="?locale=<?php echo urlencode($id) ?>"><?php echo htmlspecialchars($title) ?></a></li> <li<?php echo $current_locale == $id ? " class=\"active\"" : "" ?> ><a href="?locale=<?php echo urlencode($id) ?>"><?php echo safe_htmlspecialchars($title) ?></a></li>
<?php } ?> <?php } ?>
</ul> </ul>
</div> </div>

4
src/messenger/webim/view/notification.php
View File

@ -32,7 +32,7 @@ $notification = $page['notification'];
<?php echo getlocal("notification.label.to") ?>: <?php echo getlocal("notification.label.to") ?>:
</div> </div>
<div class="wvalue"> <div class="wvalue">
<?php echo topage(htmlspecialchars($notification['vcto'])) ?> <?php echo topage(safe_htmlspecialchars($notification['vcto'])) ?>
</div> </div>
<br clear="all"/> <br clear="all"/>
@ -48,7 +48,7 @@ $notification = $page['notification'];
<?php echo getlocal("notification.label.subj") ?>: <?php echo getlocal("notification.label.subj") ?>:
</div> </div>
<div class="wvalue"> <div class="wvalue">
<?php echo topage(htmlspecialchars($notification['vcsubject'])) ?> <?php echo topage(safe_htmlspecialchars($notification['vcsubject'])) ?>
</div> </div>
<br clear="all"/> <br clear="all"/>
</div> </div>

10
src/messenger/webim/view/notifications.php
View File

@ -49,7 +49,7 @@ require_once('inc_errors.php');
<?php echo getlocal("notifications.kind") ?><br/> <?php echo getlocal("notifications.kind") ?><br/>
<select name="kind" onchange="this.form.submit();"><?php <select name="kind" onchange="this.form.submit();"><?php
foreach($page['allkinds'] as $k) { foreach($page['allkinds'] as $k) {
echo "<option value=\"".htmlspecialchars($k)."\"".($k == form_value("kind") ? " selected=\"selected\"" : "").">".getlocal("notifications.kind.".($k ? $k : "all"))."</option>"; echo "<option value=\"".safe_htmlspecialchars($k)."\"".($k == form_value("kind") ? " selected=\"selected\"" : "").">".getlocal("notifications.kind.".($k ? $k : "all"))."</option>";
} ?></select> } ?></select>
</div> </div>
@ -57,7 +57,7 @@ require_once('inc_errors.php');
<?php echo getlocal("notifications.locale") ?><br/> <?php echo getlocal("notifications.locale") ?><br/>
<select name="lang" onchange="this.form.submit();"><?php <select name="lang" onchange="this.form.submit();"><?php
foreach($page['locales'] as $k) { foreach($page['locales'] as $k) {
echo "<option value=\"" . htmlspecialchars($k["id"]) . "\"".($k["id"] == form_value("lang") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k["name"]) . "</option>"; echo "<option value=\"" . safe_htmlspecialchars($k["id"]) . "\"".($k["id"] == form_value("lang") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($k["name"]) . "</option>";
} ?></select> } ?></select>
</div> </div>
@ -90,14 +90,14 @@ if( $page['pagination.items'] ) {
<tr> <tr>
<td class="notlast"> <td class="notlast">
<a href="<?php echo $webimroot ?>/operator/notification.php?id=<?php echo urlencode($b['id']) ?>" target="_blank" onclick="this.newWindow = window.open('<?php echo $webimroot ?>/operator/notification.php?id=<?php echo urlencode($b['id']) ?>', '', 'toolbar=0,scrollbars=1,location=0,status=1,menubar=0,width=720,height=520,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;" class="<?php echo $b['vckind'] == 'xmpp' ? 'xmpp' : 'mail' ?>"> <a href="<?php echo $webimroot ?>/operator/notification.php?id=<?php echo urlencode($b['id']) ?>" target="_blank" onclick="this.newWindow = window.open('<?php echo $webimroot ?>/operator/notification.php?id=<?php echo urlencode($b['id']) ?>', '', 'toolbar=0,scrollbars=1,location=0,status=1,menubar=0,width=720,height=520,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;" class="<?php echo $b['vckind'] == 'xmpp' ? 'xmpp' : 'mail' ?>">
<?php echo htmlspecialchars(shorten(topage($b['vcto']),30)) ?> <?php echo safe_htmlspecialchars(shorten(topage($b['vcto']),30)) ?>
</a> </a>
</td> </td>
<td class="notlast"> <td class="notlast">
<?php echo htmlspecialchars(shorten(topage($b['vcsubject']),30)) ?> <?php echo safe_htmlspecialchars(shorten(topage($b['vcsubject']),30)) ?>
</td> </td>
<td class="notlast"> <td class="notlast">
<?php echo htmlspecialchars(shorten(topage($b['tmessage']),30)) ?> <?php echo safe_htmlspecialchars(shorten(topage($b['tmessage']),30)) ?>
</td> </td>
<td> <td>
<?php echo date_to_text($b['created']) ?> <?php echo date_to_text($b['created']) ?>

12
src/messenger/webim/view/operator_groups.php
View File

@ -36,28 +36,28 @@ require_once('inc_errors.php');
<form name="opgroupsForm" method="post" action="<?php echo $webimroot ?>/operator/opgroups.php"> <form name="opgroupsForm" method="post" action="<?php echo $webimroot ?>/operator/opgroups.php">
<?php print_csrf_token_input() ?> <?php print_csrf_token_input() ?>
<input type="hidden" name="op" value="<?php echo htmlspecialchars($page['opid']) ?>"/> <input type="hidden" name="op" value="<?php echo safe_htmlspecialchars($page['opid']) ?>"/>
<div> <div>
<?php print_tabbar(); ?> <?php print_tabbar(); ?>
<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner"> <div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
<p> <p>
<b><?php echo htmlspecialchars($page['currentop']) ?>&lrm;</b> <b><?php echo safe_htmlspecialchars($page['currentop']) ?>&lrm;</b>
</p> </p>
<?php foreach( $page['groups'] as $pm ) { ?> <?php foreach( $page['groups'] as $pm ) { ?>
<div class="field"> <div class="field">
<div class="flabel"><?php echo htmlspecialchars(topage($pm['vclocalname'])) ?></div> <div class="flabel"><?php echo safe_htmlspecialchars(topage($pm['vclocalname'])) ?></div>
<div class="fvalue"> <div class="fvalue">
<input type="checkbox" name="group<?php echo htmlspecialchars($pm['groupid']) ?>" value="on"<?php echo form_value_mb('group',$pm['groupid']) ? " checked=\"checked\"" : "" ?><?php echo $page['canmodify'] ? "" : " disabled=\"disabled\"" ?>/> <input type="checkbox" name="group<?php echo safe_htmlspecialchars($pm['groupid']) ?>" value="on"<?php echo form_value_mb('group',$pm['groupid']) ? " checked=\"checked\"" : "" ?><?php echo $page['canmodify'] ? "" : " disabled=\"disabled\"" ?>/>
</div> </div>
<div class="fdescr"> &mdash; <?php echo $pm['vclocaldescription'] ? htmlspecialchars(topage($pm['vclocaldescription'])) : getlocal("operator.group.no_description") ?></div> <div class="fdescr"> &mdash; <?php echo $pm['vclocaldescription'] ? safe_htmlspecialchars(topage($pm['vclocaldescription'])) : getlocal("operator.group.no_description") ?></div>
<br clear="all"/> <br clear="all"/>
</div> </div>
<?php } ?> <?php } ?>
<?php if($page['canmodify']) { ?> <?php if($page['canmodify']) { ?>
<div class="fbutton"> <div class="fbutton">
<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/> <input type="image" name="save" value="" src="<?php echo $webimroot . safe_htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo safe_htmlspecialchars(getlocal("button.save")) ?>"/>
</div> </div>
<?php } ?> <?php } ?>
</div><div class="formbottom"><div class="formbottomi"></div></div></div> </div><div class="formbottom"><div class="formbottomi"></div></div></div>

16
src/messenger/webim/view/pending_users.php
View File

@ -25,17 +25,17 @@ function tpl_header() { global $page, $webimroot, $jsver;
<script type="text/javascript" language="javascript" src="<?php echo $webimroot ?>/js/<?php echo $jsver ?>/common.js"></script> <script type="text/javascript" language="javascript" src="<?php echo $webimroot ?>/js/<?php echo $jsver ?>/common.js"></script>
<script type="text/javascript" language="javascript"><!-- <script type="text/javascript" language="javascript"><!--
var localized = new Array( var localized = new Array(
"<?php echo htmlspecialchars(getlocal("pending.table.speak")) ?>", "<?php echo safe_htmlspecialchars(getlocal("pending.table.speak")) ?>",
"<?php echo htmlspecialchars(getlocal("pending.table.view")) ?>", "<?php echo safe_htmlspecialchars(getlocal("pending.table.view")) ?>",
"<?php echo htmlspecialchars(getlocal("pending.table.ban")) ?>", "<?php echo safe_htmlspecialchars(getlocal("pending.table.ban")) ?>",
"<?php echo htmlspecialchars(getlocal("pending.menu.show")) ?>", "<?php echo safe_htmlspecialchars(getlocal("pending.menu.show")) ?>",
"<?php echo htmlspecialchars(getlocal("pending.menu.hide")) ?>", "<?php echo safe_htmlspecialchars(getlocal("pending.menu.hide")) ?>",
"<?php echo htmlspecialchars(getlocal("pending.popup_notification")) ?>" "<?php echo safe_htmlspecialchars(getlocal("pending.popup_notification")) ?>"
); );
var updaterOptions = { var updaterOptions = {
url:"<?php echo $webimroot ?>/operator/update.php",wroot:"<?php echo $webimroot ?>", url:"<?php echo $webimroot ?>/operator/update.php",wroot:"<?php echo $webimroot ?>",
agentservl:"<?php echo $webimroot ?>/operator/agent.php", frequency:<?php echo htmlspecialchars($page['frequency']) ?>, istatus:<?php echo htmlspecialchars($page['istatus']) ?>, agentservl:"<?php echo $webimroot ?>/operator/agent.php", frequency:<?php echo safe_htmlspecialchars($page['frequency']) ?>, istatus:<?php echo safe_htmlspecialchars($page['istatus']) ?>,
noclients:"<?php echo htmlspecialchars(getlocal("clients.no_clients")) ?>", havemenu: <?php echo htmlspecialchars($page['havemenu']) ?>, showpopup: <?php echo htmlspecialchars($page['showpopup']) ?>, showonline: <?php echo htmlspecialchars($page['showonline']) ?> }; noclients:"<?php echo safe_htmlspecialchars(getlocal("clients.no_clients")) ?>", havemenu: <?php echo safe_htmlspecialchars($page['havemenu']) ?>, showpopup: <?php echo safe_htmlspecialchars($page['showpopup']) ?>, showonline: <?php echo safe_htmlspecialchars($page['showonline']) ?> };
//--></script> //--></script>
<script type="text/javascript" language="javascript" src="<?php echo $webimroot ?>/js/<?php echo $jsver ?>/users.js"></script> <script type="text/javascript" language="javascript" src="<?php echo $webimroot ?>/js/<?php echo $jsver ?>/users.js"></script>
<?php <?php

2
src/messenger/webim/view/performance.php
View File

@ -96,7 +96,7 @@ require_once('inc_errors.php');
</div> </div>
<div class="fbutton"> <div class="fbutton">
<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/> <input type="image" name="save" value="" src="<?php echo $webimroot . safe_htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo safe_htmlspecialchars(getlocal("button.save")) ?>"/>
</div> </div>
</div> </div>

8
src/messenger/webim/view/permissions.php
View File

@ -36,24 +36,24 @@ require_once('inc_errors.php');
<form name="permissionsForm" method="post" action="<?php echo $webimroot ?>/operator/permissions.php"> <form name="permissionsForm" method="post" action="<?php echo $webimroot ?>/operator/permissions.php">
<?php print_csrf_token_input() ?> <?php print_csrf_token_input() ?>
<input type="hidden" name="op" value="<?php echo htmlspecialchars($page['opid']) ?>"/> <input type="hidden" name="op" value="<?php echo safe_htmlspecialchars($page['opid']) ?>"/>
<div> <div>
<?php print_tabbar(); ?> <?php print_tabbar(); ?>
<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner"> <div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
<p> <p>
<b><?php echo htmlspecialchars($page['currentop']) ?>&lrm;</b> <b><?php echo safe_htmlspecialchars($page['currentop']) ?>&lrm;</b>
</p> </p>
<?php foreach( $page['permissionsList'] as $pm ) { ?> <?php foreach( $page['permissionsList'] as $pm ) { ?>
<label> <label>
<input type="checkbox" name="permissions<?php echo htmlspecialchars($pm['id']) ?>" value="on"<?php echo form_value_mb('permissions',$pm['id']) ? " checked=\"checked\"" : "" ?><?php echo $page['canmodify'] ? "" : " disabled=\"disabled\"" ?>/> <?php echo htmlspecialchars($pm['descr']) ?> <input type="checkbox" name="permissions<?php echo safe_htmlspecialchars($pm['id']) ?>" value="on"<?php echo form_value_mb('permissions',$pm['id']) ? " checked=\"checked\"" : "" ?><?php echo $page['canmodify'] ? "" : " disabled=\"disabled\"" ?>/> <?php echo safe_htmlspecialchars($pm['descr']) ?>
</label> </label>
<br/> <br/>
<?php } ?> <?php } ?>
<?php if($page['canmodify']) { ?> <?php if($page['canmodify']) { ?>
<div class="fbutton"> <div class="fbutton">
<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/> <input type="image" name="save" value="" src="<?php echo $webimroot . safe_htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo safe_htmlspecialchars(getlocal("button.save")) ?>"/>
</div> </div>
<?php } ?> <?php } ?>
</div><div class="formbottom"><div class="formbottomi"></div></div></div> </div><div class="formbottom"><div class="formbottomi"></div></div></div>

4
src/messenger/webim/view/resetpwd.php
View File

@ -46,8 +46,8 @@ function tpl_content() {
?> ?>
<form name="resetForm" method="post" action="<?php echo $webimroot ?>/operator/resetpwd.php"> <form name="resetForm" method="post" action="<?php echo $webimroot ?>/operator/resetpwd.php">
<input type="hidden" name="id" value="<?php echo htmlspecialchars($page['id']) ?>"/> <input type="hidden" name="id" value="<?php echo safe_htmlspecialchars($page['id']) ?>"/>
<input type="hidden" name="token" value="<?php echo htmlspecialchars($page['token']) ?>"/> <input type="hidden" name="token" value="<?php echo safe_htmlspecialchars($page['token']) ?>"/>
<div id="loginpane"> <div id="loginpane">

4
src/messenger/webim/view/settings.php
View File

@ -116,7 +116,7 @@ require_once('inc_errors.php');
<div class="field"> <div class="field">
<div class="flabel"><?php echo getlocal('settings.chatstyle') ?></div> <div class="flabel"><?php echo getlocal('settings.chatstyle') ?></div>
<div class="fvalue"> <div class="fvalue">
<select name="chatstyle" ><?php foreach($page['availableStyles'] as $k) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("chatstyle") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k) . "</option>"; } ?></select> <select name="chatstyle" ><?php foreach($page['availableStyles'] as $k) { echo "<option value=\"" . safe_htmlspecialchars($k) . "\"".($k == form_value("chatstyle") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($k) . "</option>"; } ?></select>
</div> </div>
<div class="fdescr"> &mdash; <?php echo getlocal('settings.chatstyle.description') ?></div> <div class="fdescr"> &mdash; <?php echo getlocal('settings.chatstyle.description') ?></div>
<br clear="all"/> <br clear="all"/>
@ -133,7 +133,7 @@ require_once('inc_errors.php');
</div> </div>
<div class="fbutton"> <div class="fbutton">
<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/> <input type="image" name="save" value="" src="<?php echo $webimroot . safe_htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo safe_htmlspecialchars(getlocal("button.save")) ?>"/>
</div> </div>
</div> </div>

32
src/messenger/webim/view/statistics.php
View File

@ -39,18 +39,18 @@ require_once('inc_errors.php');
<div class="fvaluenodesc"> <div class="fvaluenodesc">
<div class="searchctrl"> <div class="searchctrl">
<?php echo getlocal("statistics.from") ?> <?php echo getlocal("statistics.from") ?>
<select name="startday"><?php foreach($page['availableDays'] as $k) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("startday") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k) . "</option>"; } ?></select> <select name="startday"><?php foreach($page['availableDays'] as $k) { echo "<option value=\"" . safe_htmlspecialchars($k) . "\"".($k == form_value("startday") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($k) . "</option>"; } ?></select>
<select name="startmonth"><?php foreach($page['availableMonth'] as $k => $v) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("startmonth") ? " selected=\"selected\"" : "").">" . htmlspecialchars($v) . "</option>"; } ?></select> <select name="startmonth"><?php foreach($page['availableMonth'] as $k => $v) { echo "<option value=\"" . safe_htmlspecialchars($k) . "\"".($k == form_value("startmonth") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($v) . "</option>"; } ?></select>
</div> </div>
<div class="searchctrl"> <div class="searchctrl">
<?php echo getlocal("statistics.till") ?> <?php echo getlocal("statistics.till") ?>
<select name="endday"><?php foreach($page['availableDays'] as $k) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("endday") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k) . "</option>"; } ?></select> <select name="endday"><?php foreach($page['availableDays'] as $k) { echo "<option value=\"" . safe_htmlspecialchars($k) . "\"".($k == form_value("endday") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($k) . "</option>"; } ?></select>
<select name="endmonth"><?php foreach($page['availableMonth'] as $k => $v) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("endmonth") ? " selected=\"selected\"" : "").">" . htmlspecialchars($v) . "</option>"; } ?></select> <select name="endmonth"><?php foreach($page['availableMonth'] as $k => $v) { echo "<option value=\"" . safe_htmlspecialchars($k) . "\"".($k == form_value("endmonth") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($v) . "</option>"; } ?></select>
</div> </div>
<div id="searchbutton"> <div id="searchbutton">
<input type="image" name="search" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.search")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.search")) ?>"/> <input type="image" name="search" src="<?php echo $webimroot . safe_htmlspecialchars(getlocal("image.button.search")) ?>" alt="<?php echo safe_htmlspecialchars(getlocal("button.search")) ?>"/>
</div> </div>
</div> </div>
<br clear="all"/> <br clear="all"/>
@ -84,17 +84,17 @@ require_once('inc_errors.php');
<?php if( $page['reportByDate'] ) { ?> <?php if( $page['reportByDate'] ) { ?>
<?php foreach( $page['reportByDate'] as $row ) { ?> <?php foreach( $page['reportByDate'] as $row ) { ?>
<tr> <tr>
<td><?php echo htmlspecialchars($row['date']) ?></td> <td><?php echo safe_htmlspecialchars($row['date']) ?></td>
<td><?php echo htmlspecialchars($row['threads']) ?></td> <td><?php echo safe_htmlspecialchars($row['threads']) ?></td>
<td><?php echo htmlspecialchars($row['agents']) ?></td> <td><?php echo safe_htmlspecialchars($row['agents']) ?></td>
<td><?php echo htmlspecialchars($row['users']) ?></td> <td><?php echo safe_htmlspecialchars($row['users']) ?></td>
</tr> </tr>
<?php } ?> <?php } ?>
<tr> <tr>
<td><b><?php echo getlocal("report.total") ?></b></td> <td><b><?php echo getlocal("report.total") ?></b></td>
<td><?php echo htmlspecialchars($page['reportByDateTotal']['threads']) ?></td> <td><?php echo safe_htmlspecialchars($page['reportByDateTotal']['threads']) ?></td>
<td><?php echo htmlspecialchars($page['reportByDateTotal']['agents']) ?></td> <td><?php echo safe_htmlspecialchars($page['reportByDateTotal']['agents']) ?></td>
<td><?php echo htmlspecialchars($page['reportByDateTotal']['users']) ?></td> <td><?php echo safe_htmlspecialchars($page['reportByDateTotal']['users']) ?></td>
</tr> </tr>
<?php } else { ?> <?php } else { ?>
<tr> <tr>
@ -126,10 +126,10 @@ require_once('inc_errors.php');
<?php if( $page['reportByAgent'] ) { ?> <?php if( $page['reportByAgent'] ) { ?>
<?php foreach( $page['reportByAgent'] as $row ) { ?> <?php foreach( $page['reportByAgent'] as $row ) { ?>
<tr> <tr>
<td><?php echo topage(htmlspecialchars($row['name'])) ?></td> <td><?php echo topage(safe_htmlspecialchars($row['name'])) ?></td>
<td><?php echo htmlspecialchars($row['threads']) ?></td> <td><?php echo safe_htmlspecialchars($row['threads']) ?></td>
<td><?php echo htmlspecialchars($row['msgs']) ?></td> <td><?php echo safe_htmlspecialchars($row['msgs']) ?></td>
<td><?php echo htmlspecialchars($row['avglen']) ?></td> <td><?php echo safe_htmlspecialchars($row['avglen']) ?></td>
</tr> </tr>
<?php } ?> <?php } ?>
<?php } else { ?> <?php } else { ?>

10
src/messenger/webim/view/themes.php
View File

@ -37,13 +37,13 @@ function tpl_content() { global $page, $webimroot;
<div class="field"> <div class="field">
<div class="flabel"><?php echo getlocal("page.preview.choose") ?></div> <div class="flabel"><?php echo getlocal("page.preview.choose") ?></div>
<div class="fvaluenodesc"> <div class="fvaluenodesc">
<select name="preview" onchange="this.form.submit();"><?php foreach($page['availablePreviews'] as $k) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("preview") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k) . "</option>"; } ?></select> <select name="preview" onchange="this.form.submit();"><?php foreach($page['availablePreviews'] as $k) { echo "<option value=\"" . safe_htmlspecialchars($k) . "\"".($k == form_value("preview") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($k) . "</option>"; } ?></select>
</div> </div>
</div> </div>
<div class="field"> <div class="field">
<div class="flabel"><?php echo getlocal("page.preview.choosetpl") ?></div> <div class="flabel"><?php echo getlocal("page.preview.choosetpl") ?></div>
<div class="fvaluenodesc"> <div class="fvaluenodesc">
<select name="template" onchange="this.form.submit();"><?php foreach($page['availableTemplates'] as $k) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("template") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k) . "</option>"; } ?></select> <select name="template" onchange="this.form.submit();"><?php foreach($page['availableTemplates'] as $k) { echo "<option value=\"" . safe_htmlspecialchars($k) . "\"".($k == form_value("template") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($k) . "</option>"; } ?></select>
</div> </div>
</div> </div>
<?php if( $page['canshowerrors'] ) { ?> <?php if( $page['canshowerrors'] ) { ?>
@ -57,11 +57,11 @@ function tpl_content() { global $page, $webimroot;
<?php foreach( $page['previewList'] as $pp ) { ?> <?php foreach( $page['previewList'] as $pp ) { ?>
<div class="field"> <div class="field">
<div class="flabel"> <div class="flabel">
<?php echo htmlspecialchars($pp['label']) ?> <?php echo safe_htmlspecialchars($pp['label']) ?>
<a href="<?php echo htmlspecialchars($page['showlink']) ?><?php echo htmlspecialchars($pp['id']) ?>" target="_blank" title="in separate window" onclick="this.newWindow = window.open('<?php echo htmlspecialchars($page['showlink']) ?><?php echo htmlspecialchars($pp['id']) ?>', '<?php echo htmlspecialchars($pp['id']) ?>', 'toolbar=0,scrollbars=0,location=0,statusbar=1,menubar=0,width=<?php echo htmlspecialchars($pp['w']) ?>,height=<?php echo htmlspecialchars($pp['h']) ?>,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;">link</a> <a href="<?php echo safe_htmlspecialchars($page['showlink']) ?><?php echo safe_htmlspecialchars($pp['id']) ?>" target="_blank" title="in separate window" onclick="this.newWindow = window.open('<?php echo safe_htmlspecialchars($page['showlink']) ?><?php echo safe_htmlspecialchars($pp['id']) ?>', '<?php echo safe_htmlspecialchars($pp['id']) ?>', 'toolbar=0,scrollbars=0,location=0,statusbar=1,menubar=0,width=<?php echo safe_htmlspecialchars($pp['w']) ?>,height=<?php echo safe_htmlspecialchars($pp['h']) ?>,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;">link</a>
</div> </div>
<div class="fvalueframe"> <div class="fvalueframe">
<iframe id="sample<?php echo htmlspecialchars($pp['id']) ?>" width="<?php echo htmlspecialchars($pp['w']) ?>" height="<?php echo htmlspecialchars($pp['h']) ?>" src="<?php echo $page['showlink'] ?><?php echo htmlspecialchars($pp['id']) ?>" frameborder="0" scrolling="no"> <iframe id="sample<?php echo safe_htmlspecialchars($pp['id']) ?>" width="<?php echo safe_htmlspecialchars($pp['w']) ?>" height="<?php echo safe_htmlspecialchars($pp['h']) ?>" src="<?php echo $page['showlink'] ?><?php echo safe_htmlspecialchars($pp['id']) ?>" frameborder="0" scrolling="no">
No iframes No iframes
</iframe> </iframe>
</div> </div>

6
src/messenger/webim/view/thread_log.php
View File

@ -32,7 +32,7 @@ $chatthread = $page['thread'];
<?php echo getlocal("page.analysis.search.head_name") ?>: <?php echo getlocal("page.analysis.search.head_name") ?>:
</div> </div>
<div class="wvalue"> <div class="wvalue">
<?php echo topage(htmlspecialchars($chatthread['userName'])) ?> <?php echo topage(safe_htmlspecialchars($chatthread['userName'])) ?>
</div> </div>
<br clear="all"/> <br clear="all"/>
@ -57,7 +57,7 @@ $chatthread = $page['thread'];
<?php echo getlocal("page.analysis.search.head_group") ?>: <?php echo getlocal("page.analysis.search.head_group") ?>:
</div> </div>
<div class="wvalue"> <div class="wvalue">
<?php echo topage(htmlspecialchars($chatthread['groupName'])) ?> <?php echo topage(safe_htmlspecialchars($chatthread['groupName'])) ?>
</div> </div>
<br clear="all"/> <br clear="all"/>
<?php } ?> <?php } ?>
@ -67,7 +67,7 @@ $chatthread = $page['thread'];
<?php echo getlocal("page.analysis.search.head_operator") ?>: <?php echo getlocal("page.analysis.search.head_operator") ?>:
</div> </div>
<div class="wvalue"> <div class="wvalue">
<?php echo topage(htmlspecialchars($chatthread['agentName'])) ?> <?php echo topage(safe_htmlspecialchars($chatthread['agentName'])) ?>
</div> </div>
<br clear="all"/> <br clear="all"/>
<?php } ?> <?php } ?>

10
src/messenger/webim/view/thread_search.php
View File

@ -37,7 +37,7 @@ function tpl_content() { global $page, $webimroot;
<input type="text" name="q" size="80" value="<?php echo form_value('q') ?>" class="formauth"/> <input type="text" name="q" size="80" value="<?php echo form_value('q') ?>" class="formauth"/>
</div> </div>
<div id="searchbutton"> <div id="searchbutton">
<input type="image" name="search" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.search")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.search")) ?>"/> <input type="image" name="search" src="<?php echo $webimroot . safe_htmlspecialchars(getlocal("image.button.search")) ?>" alt="<?php echo safe_htmlspecialchars(getlocal("button.search")) ?>"/>
</div> </div>
</div> </div>
<br clear="all"/> <br clear="all"/>
@ -72,21 +72,21 @@ if( $page['pagination.items'] ) {
foreach( $page['pagination.items'] as $chatthread ) { ?> foreach( $page['pagination.items'] as $chatthread ) { ?>
<tr> <tr>
<td> <td>
<a href="<?php echo $webimroot ?>/operator/threadprocessor.php?threadid=<?php echo urlencode($chatthread['threadid']) ?>" target="_blank" onclick="this.newWindow = window.open('<?php echo $webimroot ?>/operator/threadprocessor.php?threadid=<?php echo urlencode($chatthread['threadid']) ?>', '', 'toolbar=0,scrollbars=1,location=0,status=1,menubar=0,width=720,height=520,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;"><?php echo topage(htmlspecialchars($chatthread['userName'])) ?></a> <a href="<?php echo $webimroot ?>/operator/threadprocessor.php?threadid=<?php echo urlencode($chatthread['threadid']) ?>" target="_blank" onclick="this.newWindow = window.open('<?php echo $webimroot ?>/operator/threadprocessor.php?threadid=<?php echo urlencode($chatthread['threadid']) ?>', '', 'toolbar=0,scrollbars=1,location=0,status=1,menubar=0,width=720,height=520,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;"><?php echo topage(safe_htmlspecialchars($chatthread['userName'])) ?></a>
</td> </td>
<td> <td>
<?php echo get_user_addr(topage($chatthread['remote'])) ?> <?php echo get_user_addr(topage($chatthread['remote'])) ?>
</td> </td>
<td> <td>
<?php if( $chatthread['agentName'] ) { <?php if( $chatthread['agentName'] ) {
echo topage(htmlspecialchars($chatthread['agentName'])); echo topage(safe_htmlspecialchars($chatthread['agentName']));
} else if($chatthread['groupid'] && $chatthread['groupid'] != 0 && isset($page['groupName'][$chatthread['groupid']])) { } else if($chatthread['groupid'] && $chatthread['groupid'] != 0 && isset($page['groupName'][$chatthread['groupid']])) {
echo "- ".topage(htmlspecialchars($page['groupName'][$chatthread['groupid']]))." -"; echo "- ".topage(safe_htmlspecialchars($page['groupName'][$chatthread['groupid']]))." -";
} }
?> ?>
</td> </td>
<td> <td>
<?php echo topage(htmlspecialchars($chatthread['size'])) ?> <?php echo topage(safe_htmlspecialchars($chatthread['size'])) ?>
</td> </td>
<td> <td>
<?php echo date_diff_to_text($chatthread['modified']-$chatthread['created']) ?>, <?php echo date_to_text($chatthread['created']) ?> <?php echo date_diff_to_text($chatthread['modified']-$chatthread['created']) ?>, <?php echo date_to_text($chatthread['created']) ?>

10
src/messenger/webim/view/translate.php
View File

@ -41,27 +41,27 @@ require_once('inc_errors.php');
<form name="translateForm" method="post" action="<?php echo $webimroot ?>/operator/translate.php"> <form name="translateForm" method="post" action="<?php echo $webimroot ?>/operator/translate.php">
<?php print_csrf_token_input() ?> <?php print_csrf_token_input() ?>
<input type="hidden" name="key" value="<?php echo htmlspecialchars($page['key']) ?>"/> <input type="hidden" name="key" value="<?php echo safe_htmlspecialchars($page['key']) ?>"/>
<input type="hidden" name="target" value="<?php echo htmlspecialchars($page['target']) ?>"/> <input type="hidden" name="target" value="<?php echo safe_htmlspecialchars($page['target']) ?>"/>
<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner"> <div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
<div class="fieldForm"> <div class="fieldForm">
<div class="field"> <div class="field">
<div class="flabel"><?php echo htmlspecialchars($page['title1']) ?></div> <div class="flabel"><?php echo safe_htmlspecialchars($page['title1']) ?></div>
<div class="fvaluenodesc"> <div class="fvaluenodesc">
<textarea name="original" disabled="disabled" cols="20" rows="5" class="wide"><?php echo form_value('original') ?></textarea> <textarea name="original" disabled="disabled" cols="20" rows="5" class="wide"><?php echo form_value('original') ?></textarea>
</div> </div>
</div> </div>
<div class="field"> <div class="field">
<div class="flabel"><?php echo htmlspecialchars($page['title2']) ?></div> <div class="flabel"><?php echo safe_htmlspecialchars($page['title2']) ?></div>
<div class="fvaluenodesc"> <div class="fvaluenodesc">
<textarea name="translation" cols="20" rows="5" class="wide"><?php echo form_value('translation') ?></textarea> <textarea name="translation" cols="20" rows="5" class="wide"><?php echo form_value('translation') ?></textarea>
</div> </div>
</div> </div>
<div class="fbutton"> <div class="fbutton">
<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/> <input type="image" name="save" value="" src="<?php echo $webimroot . safe_htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo safe_htmlspecialchars(getlocal("button.save")) ?>"/>
</div> </div>
</div> </div>

14
src/messenger/webim/view/translatelist.php
View File

@ -34,12 +34,12 @@ function tpl_content() { global $page, $webimroot;
<?php echo getlocal("translate.direction") ?><br/> <?php echo getlocal("translate.direction") ?><br/>
<select name="source" onchange="this.form.submit();"><?php <select name="source" onchange="this.form.submit();"><?php
foreach($page['availableLocales'] as $k) { foreach($page['availableLocales'] as $k) {
echo "<option value=\"" . htmlspecialchars($k["id"]) . "\"".($k["id"] == form_value("source") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k["name"]) . "</option>"; echo "<option value=\"" . safe_htmlspecialchars($k["id"]) . "\"".($k["id"] == form_value("source") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($k["name"]) . "</option>";
} ?></select> } ?></select>
=&gt; =&gt;
<select name="target" onchange="this.form.submit();"><?php <select name="target" onchange="this.form.submit();"><?php
foreach($page['availableLocales'] as $k) { foreach($page['availableLocales'] as $k) {
echo "<option value=\"" . htmlspecialchars($k["id"]) . "\"".($k["id"] == form_value("target") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k["name"]) . "</option>"; echo "<option value=\"" . safe_htmlspecialchars($k["id"]) . "\"".($k["id"] == form_value("target") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($k["name"]) . "</option>";
} ?></select> } ?></select>
</div> </div>
@ -47,7 +47,7 @@ function tpl_content() { global $page, $webimroot;
<?php echo getlocal("translate.sort") ?><br/> <?php echo getlocal("translate.sort") ?><br/>
<select name="sort" onchange="this.form.submit();"><?php <select name="sort" onchange="this.form.submit();"><?php
foreach($page['availableOrders'] as $k) { foreach($page['availableOrders'] as $k) {
echo "<option value=\"" . htmlspecialchars($k["id"]) . "\"".($k["id"] == form_value("sort") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k["name"]) . "</option>"; echo "<option value=\"" . safe_htmlspecialchars($k["id"]) . "\"".($k["id"] == form_value("sort") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($k["name"]) . "</option>";
} ?></select> } ?></select>
</div> </div>
@ -55,7 +55,7 @@ function tpl_content() { global $page, $webimroot;
<?php echo getlocal("translate.show") ?><br/> <?php echo getlocal("translate.show") ?><br/>
<select name="show" onchange="this.form.submit();"><?php <select name="show" onchange="this.form.submit();"><?php
foreach($page['showOptions'] as $k) { foreach($page['showOptions'] as $k) {
echo "<option value=\"" . htmlspecialchars($k["id"]) . "\"".($k["id"] == form_value("show") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k["name"]) . "</option>"; echo "<option value=\"" . safe_htmlspecialchars($k["id"]) . "\"".($k["id"] == form_value("show") ? " selected=\"selected\"" : "").">" . safe_htmlspecialchars($k["name"]) . "</option>";
} ?></select> } ?></select>
</div> </div>
@ -78,9 +78,9 @@ if( $page['pagination'] ) {
<tr class="header"><th> <tr class="header"><th>
Key Key
</th><th> </th><th>
<?php echo htmlspecialchars(topage($page['title1'])) ?> <?php echo safe_htmlspecialchars(topage($page['title1'])) ?>
</th><th> </th><th>
<?php echo htmlspecialchars(topage($page['title2'])) ?> <?php echo safe_htmlspecialchars(topage($page['title2'])) ?>
</th></tr> </th></tr>
</thead> </thead>
<tbody> <tbody>
@ -89,7 +89,7 @@ if( $page['pagination.items'] ) {
foreach( $page['pagination.items'] as $localstr ) { ?> foreach( $page['pagination.items'] as $localstr ) { ?>
<tr> <tr>
<td> <td>
<a href="<?php echo $webimroot ?>/operator/translate.php?source=<?php echo urlencode($page['lang1']) ?>&amp;target=<?php echo urlencode($page['lang2']) ?>&amp;key=<?php echo urlencode($localstr['id']) ?>" target="_blank" onclick="this.newWindow = window.open('<?php echo $webimroot ?>/operator/translate.php?source=<?php echo urlencode($page['lang1']) ?>&amp;target=<?php echo urlencode($page['lang2']) ?>&amp;key=<?php echo urlencode($localstr['id']) ?>', '', 'toolbar=0,scrollbars=1,location=0,status=1,menubar=0,width=640,height=480,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;"><?php echo htmlspecialchars(topage($localstr['id'])) ?></a> <a href="<?php echo $webimroot ?>/operator/translate.php?source=<?php echo urlencode($page['lang1']) ?>&amp;target=<?php echo urlencode($page['lang2']) ?>&amp;key=<?php echo urlencode($localstr['id']) ?>" target="_blank" onclick="this.newWindow = window.open('<?php echo $webimroot ?>/operator/translate.php?source=<?php echo urlencode($page['lang1']) ?>&amp;target=<?php echo urlencode($page['lang2']) ?>&amp;key=<?php echo urlencode($localstr['id']) ?>', '', 'toolbar=0,scrollbars=1,location=0,status=1,menubar=0,width=640,height=480,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;"><?php echo safe_htmlspecialchars(topage($localstr['id'])) ?></a>
</td> </td>
<td> <td>
<?php echo topage($localstr['l1']) ?> <?php echo topage($localstr['l1']) ?>

6
src/messenger/webim/view/updates.php
View File

@ -41,7 +41,7 @@ function tpl_content() { global $page, $webimroot;
</div> </div>
<?php echo getlocal("updates.current")?><br/> <?php echo getlocal("updates.current")?><br/>
<div id="cver"><?php echo htmlspecialchars($page['version']) ?></div> <div id="cver"><?php echo safe_htmlspecialchars($page['version']) ?></div>
<br/> <br/>
@ -52,13 +52,13 @@ function tpl_content() { global $page, $webimroot;
<?php echo getlocal("updates.installed_locales")?><br/> <?php echo getlocal("updates.installed_locales")?><br/>
<?php foreach( $page['localizations'] as $loc ) { ?> <?php foreach( $page['localizations'] as $loc ) { ?>
<?php echo htmlspecialchars($loc) ?> <?php echo safe_htmlspecialchars($loc) ?>
<?php } ?> <?php } ?>
<br/><br/> <br/><br/>
<?php echo getlocal("updates.env")?><br/> <?php echo getlocal("updates.env")?><br/>
PHP <?php echo htmlspecialchars($page['phpVersion']) ?> PHP <?php echo safe_htmlspecialchars($page['phpVersion']) ?>
</div><div class="formbottom"><div class="formbottomi"></div></div></div> </div><div class="formbottom"><div class="formbottomi"></div></div></div>
</div> </div>

4
src/messenger/webim/view/userhistory.php
View File

@ -46,13 +46,13 @@ if( $page['pagination.items'] ) {
foreach( $page['pagination.items'] as $chatthread ) { ?> foreach( $page['pagination.items'] as $chatthread ) { ?>
<tr> <tr>
<td> <td>
<a href="<?php echo $webimroot ?>/operator/threadprocessor.php?threadid=<?php echo urlencode($chatthread['threadid']) ?>" target="_blank" onclick="this.newWindow = window.open('<?php echo $webimroot ?>/operator/threadprocessor.php?threadid=<?php echo urlencode($chatthread['threadid']) ?>', '', 'toolbar=0,scrollbars=1,location=0,status=1,menubar=0,width=720,height=520,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;"><?php echo topage(htmlspecialchars($chatthread['userName'])) ?></a> <a href="<?php echo $webimroot ?>/operator/threadprocessor.php?threadid=<?php echo urlencode($chatthread['threadid']) ?>" target="_blank" onclick="this.newWindow = window.open('<?php echo $webimroot ?>/operator/threadprocessor.php?threadid=<?php echo urlencode($chatthread['threadid']) ?>', '', 'toolbar=0,scrollbars=1,location=0,status=1,menubar=0,width=720,height=520,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;"><?php echo topage(safe_htmlspecialchars($chatthread['userName'])) ?></a>
</td> </td>
<td> <td>
<?php echo get_user_addr(topage($chatthread['remote'])) ?> <?php echo get_user_addr(topage($chatthread['remote'])) ?>
</td> </td>
<td> <td>
<?php if( $chatthread['agentName'] ) { ?><?php echo topage(htmlspecialchars($chatthread['agentName'])) ?><?php } ?> <?php if( $chatthread['agentName'] ) { ?><?php echo topage(safe_htmlspecialchars($chatthread['agentName'])) ?><?php } ?>
</td> </td>
<td> <td>
<?php echo date_diff_to_text($chatthread['modified']-$chatthread['created']) ?>, <?php echo date_to_text($chatthread['created']) ?> <?php echo date_diff_to_text($chatthread['modified']-$chatthread['created']) ?>, <?php echo date_to_text($chatthread['created']) ?>