diff options
| author | Igor Scheller <igor.scheller@igorshp.de> | 2017-08-29 22:22:53 +0200 |
|---|---|---|
| committer | Igor Scheller <igor.scheller@igorshp.de> | 2017-08-29 22:22:53 +0200 |
| commit | 3002ed9e93ea39b7c341b0b3a24f0d4f654ef062 (patch) | |
| tree | a1a4cf5d34f66e3fbbb3ec9debc7e40090f9db5c /includes/sys_form.php | |
| parent | cc01c906ba63b3797bf2b9ef92a6854fe2ddbefb (diff) | |
Security: Only allow angels with admin_news_html privilege to use HTML
Diffstat (limited to 'includes/sys_form.php')
| -rw-r--r-- | includes/sys_form.php | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/includes/sys_form.php b/includes/sys_form.php index 78e97792..148af965 100644 --- a/includes/sys_form.php +++ b/includes/sys_form.php @@ -10,7 +10,7 @@ */ function form_hidden($name, $value) { - return '<input type="hidden" name="' . $name . '" value="' . $value . '" />'; + return '<input type="hidden" name="' . $name . '" value="' . htmlspecialchars($value) . '" />'; } /** @@ -25,7 +25,7 @@ function form_spinner($name, $label, $value) { return form_element($label, ' <div class="input-group"> - <input id="spinner-' . $name . '" class="form-control" type="text" name="' . $name . '" value="' . $value . '" /> + <input id="spinner-' . $name . '" class="form-control" name="' . $name . '" value="' . htmlspecialchars($value) . '" /> <div class="input-group-btn"> <button id="spinner-' . $name . '-down" class="btn btn-default" type="button"> <span class="glyphicon glyphicon-minus"></span> @@ -66,7 +66,8 @@ function form_date($name, $label, $value, $start_date = '', $end_date = '') $end_date = is_numeric($end_date) ? date('Y-m-d', $end_date) : ''; return form_element($label, ' <div class="input-group date" id="' . $dom_id . '"> - <input type="text" name="' . $name . '" class="form-control" value="' . $value . '"><span class="input-group-addon">' . glyph('th') . '</span> + <input name="' . $name . '" class="form-control" value="' . htmlspecialchars($value) . '">' + . '<span class="input-group-addon">' . glyph('th') . '</span> </div> <script type="text/javascript"> $(function(){ @@ -154,7 +155,7 @@ function form_checkbox($name, $label, $selected, $value = 'checked', $id = null) } return '<div class="checkbox"><label>' - . '<input type="checkbox" id="' . $name . '" name="' . $name . '" value="' . $value . '" ' + . '<input type="checkbox" id="' . $id . '" name="' . $name . '" value="' . htmlspecialchars($value) . '" ' . ($selected ? ' checked="checked"' : '') . ' /> ' . $label . '</label></div>'; @@ -172,7 +173,7 @@ function form_checkbox($name, $label, $selected, $value = 'checked', $id = null) function form_radio($name, $label, $selected, $value) { return '<div class="radio">' - . '<label><input type="radio" id="' . $name . '" name="' . $name . '" value="' . $value . '" ' + . '<label><input type="radio" id="' . $name . '" name="' . $name . '" value="' . htmlspecialchars($value) . '" ' . ($selected ? ' checked="checked"' : '') . ' /> ' . $label . '</label></div>'; @@ -333,8 +334,8 @@ function form_textarea($name, $label, $value, $disabled = false) $disabled = $disabled ? ' disabled="disabled"' : ''; return form_element( $label, - '<textarea rows="5" class="form-control" id="form_' . $name . '" type="text" name="' - . $name . '" ' . $disabled . '>' . $value . '</textarea>', + '<textarea rows="5" class="form-control" id="form_' . $name . '" name="' + . $name . '" ' . $disabled . '>' . htmlspecialchars($value) . '</textarea>', 'form_' . $name ); } |