gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2025-05-15 06:01:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

- use htmlspecialchars() whenever data from the database is output

Browse Source 
(this does currently break the output, because data was already
	encoded when saved)
This commit is contained in:
steinm 2011-12-02 16:23:36 +00:00
parent d9cedd79fc
commit 73f4c8d90d
51 changed files with 225 additions and 227 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
out/out.AddDocument.php
View File

@ -37,10 +37,10 @@ if (!is_object($folder)) {
$folderPathHTML = getFolderPathHTML($folder, true); $folderPathHTML = getFolderPathHTML($folder, true);
if ($folder->getAccessMode($user) < M_READWRITE) { if ($folder->getAccessMode($user) < M_READWRITE) {
UI::exitError(getMLText("folder_title", array("foldername" => $folder->getName())),getMLText("access_denied")); UI::exitError(getMLText("folder_title", array("foldername" => htmlspecialchars($folder->getName()))),getMLText("access_denied"));
} }
UI::htmlStartPage(getMLText("folder_title", array("foldername" => $folder->getName()))); UI::htmlStartPage(getMLText("folder_title", array("foldername" => htmlspecialchars($folder->getName()))));
UI::globalNavigation($folder); UI::globalNavigation($folder);
UI::pageNavigation($folderPathHTML, "view_folder", $folder); UI::pageNavigation($folderPathHTML, "view_folder", $folder);
@ -180,8 +180,8 @@ $docAccess = $folder->getApproversList();
$mandatory=false; $mandatory=false;
foreach ($res as $r) if ($r['reviewerUserID']==$usr->getID()) $mandatory=true; foreach ($res as $r) if ($r['reviewerUserID']==$usr->getID()) $mandatory=true;
if ($mandatory) print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>". $usr->getFullName(); if ($mandatory) print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>". htmlspecialchars($usr->getFullName());
else print "<li class=\"cbSelectItem\"><input id='revInd".$usr->getID()."' type='checkbox' name='indReviewers[]' value='". $usr->getID() ."'>". $usr->getFullName(); else print "<li class=\"cbSelectItem\"><input id='revInd".$usr->getID()."' type='checkbox' name='indReviewers[]' value='". $usr->getID() ."'>". htmlspecialchars($usr->getFullName());
} }
?> ?>
</ul> </ul>
@ -195,8 +195,8 @@ $docAccess = $folder->getApproversList();
$mandatory=false; $mandatory=false;
foreach ($res as $r) if ($r['reviewerGroupID']==$grp->getID()) $mandatory=true; foreach ($res as $r) if ($r['reviewerGroupID']==$grp->getID()) $mandatory=true;
if ($mandatory) print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>".$grp->getName(); if ($mandatory) print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>".htmlspecialchars($grp->getName());
else print "<li class=\"cbSelectItem\"><input id='revGrp".$grp->getID()."' type='checkbox' name='grpReviewers[]' value='". $grp->getID() ."'>".$grp->getName(); else print "<li class=\"cbSelectItem\"><input id='revGrp".$grp->getID()."' type='checkbox' name='grpReviewers[]' value='". $grp->getID() ."'>".htmlspecialchars($grp->getName());
} }
?> ?>
</ul> </ul>
@ -217,8 +217,8 @@ $docAccess = $folder->getApproversList();
$mandatory=false; $mandatory=false;
foreach ($res as $r) if ($r['approverUserID']==$usr->getID()) $mandatory=true; foreach ($res as $r) if ($r['approverUserID']==$usr->getID()) $mandatory=true;
if ($mandatory) print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>". $usr->getFullName(); if ($mandatory) print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>". htmlspecialchars($usr->getFullName());
else print "<li class=\"cbSelectItem\"><input id='appInd".$usr->getID()."' type='checkbox' name='indApprovers[]' value='". $usr->getID() ."'>". $usr->getFullName(); else print "<li class=\"cbSelectItem\"><input id='appInd".$usr->getID()."' type='checkbox' name='indApprovers[]' value='". $usr->getID() ."'>". htmlspecialchars($usr->getFullName());
} }
?> ?>
</ul> </ul>
@ -232,8 +232,8 @@ $docAccess = $folder->getApproversList();
$mandatory=false; $mandatory=false;
foreach ($res as $r) if ($r['approverGroupID']==$grp->getID()) $mandatory=true; foreach ($res as $r) if ($r['approverGroupID']==$grp->getID()) $mandatory=true;
if ($mandatory) print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>".$grp->getName(); if ($mandatory) print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>".htmlspecialchars($grp->getName());
else print "<li class=\"cbSelectItem\"><input id='appGrp".$grp->getID()."' type='checkbox' name='grpApprovers[]' value='". $grp->getID() ."'>".$grp->getName(); else print "<li class=\"cbSelectItem\"><input id='appGrp".$grp->getID()."' type='checkbox' name='grpApprovers[]' value='". $grp->getID() ."'>".htmlspecialchars($grp->getName());
} }
?> ?>

2
out/out.AddFile.php
View File

@ -37,7 +37,7 @@ if (!is_object($document)) {
} }
$folder = $document->getFolder(); $folder = $document->getFolder();
$docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>"; $docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".htmlspecialchars($document->getName())."</a>";
if ($document->getAccessMode($user) < M_READWRITE) { if ($document->getAccessMode($user) < M_READWRITE) {
UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied")); UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));

2
out/out.AddFile2.php
View File

@ -37,7 +37,7 @@ if (!is_object($document)) {
} }
$folder = $document->getFolder(); $folder = $document->getFolder();
$docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>"; $docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".htmlspecialchars($document->getName())."</a>";
if ($document->getAccessMode($user) < M_READWRITE) { if ($document->getAccessMode($user) < M_READWRITE) {
UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied")); UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));

6
out/out.ApproveDocument.php
View File

@ -37,7 +37,7 @@ if (!is_object($document)) {
} }
$folder = $document->getFolder(); $folder = $document->getFolder();
$docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>"; $docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".htmlspecialchars($document->getName())."</a>";
if ($document->getAccessMode($user) < M_READ) { if ($document->getAccessMode($user) < M_READ) {
UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied")); UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
@ -164,9 +164,9 @@ else if ($approvalStatus['type'] == 1) {
print "<td>"; print "<td>";
printApprovalStatusText($approvalStatus["status"]); printApprovalStatusText($approvalStatus["status"]);
print "</td>"; print "</td>";
print "<td>".$approvalStatus["comment"]."</td>"; print "<td>".htmlspecialchars($approvalStatus["comment"])."</td>";
$indUser = $dms->getUser($approvalStatus["userID"]); $indUser = $dms->getUser($approvalStatus["userID"]);
print "<td>".$approvalStatus["date"]." - ". $indUser->getFullname() ."</td>"; print "<td>".$approvalStatus["date"]." - ". htmlspecialchars($indUser->getFullname()) ."</td>";
print "</tr></tbody></table><br>\n"; print "</tr></tbody></table><br>\n";
} }

2
out/out.BackupTools.php
View File

@ -113,7 +113,7 @@ foreach ($entries as $entry){
print "<tr>\n"; print "<tr>\n";
print "<td><a href=\"../op/op.Download.php?arkname=".$entry."\">".$entry."</a></td>\n"; print "<td><a href=\"../op/op.Download.php?arkname=".$entry."\">".$entry."</a></td>\n";
if (is_object($folder)) print "<td>".$folder->getName()."</td>\n"; if (is_object($folder)) print "<td>".htmlspecialchars($folder->getName())."</td>\n";
else print "<td>".getMLText("unknown_id")."</td>\n"; else print "<td>".getMLText("unknown_id")."</td>\n";
print "<td>".getLongReadableDate(filectime($settings->_contentDir.$entry))."</td>\n"; print "<td>".getLongReadableDate(filectime($settings->_contentDir.$entry))."</td>\n";
print "<td>".formatted_size(filesize($settings->_contentDir.$entry))."</td>\n"; print "<td>".formatted_size(filesize($settings->_contentDir.$entry))."</td>\n";

4
out/out.Calendar.php
View File

@ -94,7 +94,7 @@ if ($mode=="y"){
if (($event["start"]<=$xdate)&&($event["stop"]>=$xdate)){ if (($event["start"]<=$xdate)&&($event["stop"]>=$xdate)){
if (strlen($event['name']) > 25) $event['name'] = substr($event['name'], 0, 22) . "..."; if (strlen($event['name']) > 25) $event['name'] = substr($event['name'], 0, 22) . "...";
print "<td class='".$class."'><a href=\"../out/out.ViewEvent.php?id=".$event['id']."\">".$event['name']."</a></td>"; print "<td class='".$class."'><a href=\"../out/out.ViewEvent.php?id=".$event['id']."\">".htmlspecialchars($event['name'])."</a></td>";
}else{ }else{
print "<td class='".$class."'>&nbsp;</td>"; print "<td class='".$class."'>&nbsp;</td>";
} }
@ -163,7 +163,7 @@ if ($mode=="y"){
foreach ($events as $event){ foreach ($events as $event){
if (($event["start"]<=$i)&&($event["stop"]>=$i)){ if (($event["start"]<=$i)&&($event["stop"]>=$i)){
print "<td class='".$class."'><a href=\"../out/out.ViewEvent.php?id=".$event['id']."\">".$event['name']."</a></td>"; print "<td class='".$class."'><a href=\"../out/out.ViewEvent.php?id=".$event['id']."\">".htmlspecialchars($event['name'])."</a></td>";
}else{ }else{
print "<td class='".$class."'>&nbsp;</td>"; print "<td class='".$class."'>&nbsp;</td>";
} }

4
out/out.Categories.php
View File

@ -69,7 +69,7 @@ UI::contentContainerStart();
foreach ($categories as $category) { foreach ($categories as $category) {
if (isset($_GET["categoryid"]) && $category->getID()==$_GET["categoryid"]) $selected=$count; if (isset($_GET["categoryid"]) && $category->getID()==$_GET["categoryid"]) $selected=$count;
print "<option value=\"".$category->getID()."\">" . $category->getName(); print "<option value=\"".$category->getID()."\">" . htmlspecialchars($category->getName());
$count++; $count++;
} }
?> ?>
@ -118,7 +118,7 @@ UI::contentContainerStart();
<form action="../op/op.Categories.php" > <form action="../op/op.Categories.php" >
<input type="Hidden" name="action" value="editcategory"> <input type="Hidden" name="action" value="editcategory">
<input type="Hidden" name="categoryid" value="<?php echo $category->getID()?>"> <input type="Hidden" name="categoryid" value="<?php echo $category->getID()?>">
<input name="name" value="<?php echo $category->getName()?>">&nbsp; <input name="name" value="<?php echo htmlspecialchars($category->getName()) ?>">&nbsp;
<input type="Submit" value="<?php printMLText("save");?>"> <input type="Submit" value="<?php printMLText("save");?>">
</form> </form>
</td> </td>

2
out/out.CategoryChooser.php
View File

@ -64,7 +64,7 @@ $(document).ready(function(){
echo "<option value=\"".$category->getId()."\""; echo "<option value=\"".$category->getId()."\"";
if(in_array($category->getID(), $selcatsarr)) if(in_array($category->getID(), $selcatsarr))
echo " selected"; echo " selected";
echo ">".$category->getName()."</option>\n"; echo ">".htmlspecialchars($category->getName())."</option>\n";
} }
?> ?>
</select> </select>

6
out/out.DefaultKeywords.php
View File

@ -72,7 +72,7 @@ UI::contentContainerStart();
if ((!$user->isAdmin()) && ($owner->getID() != $user->getID())) continue; if ((!$user->isAdmin()) && ($owner->getID() != $user->getID())) continue;
if (isset($_GET["categoryid"]) && $category->getID()==$_GET["categoryid"]) $selected=$count; if (isset($_GET["categoryid"]) && $category->getID()==$_GET["categoryid"]) $selected=$count;
print "<option value=\"".$category->getID()."\">" . $category->getName(); print "<option value=\"".$category->getID()."\">" . htmlspecialchars($category->getName());
$count++; $count++;
} }
?> ?>
@ -114,7 +114,7 @@ UI::contentContainerStart();
<form action="../op/op.DefaultKeywords.php" > <form action="../op/op.DefaultKeywords.php" >
<input type="Hidden" name="action" value="editcategory"> <input type="Hidden" name="action" value="editcategory">
<input type="Hidden" name="categoryid" value="<?php echo $category->getID()?>"> <input type="Hidden" name="categoryid" value="<?php echo $category->getID()?>">
<input name="name" value="<?php echo $category->getName()?>">&nbsp; <input name="name" value="<?php echo htmlspecialchars($category->getName()) ?>">&nbsp;
<input type="Submit" value="<?php printMLText("save");?>"> <input type="Submit" value="<?php printMLText("save");?>">
</form> </form>
</td> </td>
@ -139,7 +139,7 @@ UI::contentContainerStart();
<input type="Hidden" name="categoryid" value="<?php echo $category->getID()?>"> <input type="Hidden" name="categoryid" value="<?php echo $category->getID()?>">
<input type="Hidden" name="keywordsid" value="<?php echo $list["id"]?>"> <input type="Hidden" name="keywordsid" value="<?php echo $list["id"]?>">
<input type="Hidden" name="action" value="editkeywords"> <input type="Hidden" name="action" value="editkeywords">
<input name="keywords" value="<?php echo $list["keywords"]?>"> <input name="keywords" value="<?php echo htmlspecialchars($list["keywords"]) ?>">
<input name="action" value="editkeywords" type="Image" src="images/save.gif" title="<?php echo getMLText("save")?>"> <input name="action" value="editkeywords" type="Image" src="images/save.gif" title="<?php echo getMLText("save")?>">
<!-- <input name="action" value="removekeywords" type="Image" src="images/del.gif" title="<?php echo getMLText("delete")?>" border="0"> &nbsp; --> <!-- <input name="action" value="removekeywords" type="Image" src="images/del.gif" title="<?php echo getMLText("delete")?>" border="0"> &nbsp; -->
<a href="../op/op.DefaultKeywords.php?categoryid=<?php echo $category->getID()?>&keywordsid=<?php echo $list["id"]?>&action=removekeywords"><img src="images/del.gif" title="<?php echo getMLText("delete")?>" border="0"></a> <a href="../op/op.DefaultKeywords.php?categoryid=<?php echo $category->getID()?>&keywordsid=<?php echo $list["id"]?>&action=removekeywords"><img src="images/del.gif" title="<?php echo getMLText("delete")?>" border="0"></a>

12
out/out.DocumentAccess.php
View File

@ -46,7 +46,7 @@ if (!is_object($document)) {
} }
$folder = $document->getFolder(); $folder = $document->getFolder();
$docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>"; $docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".htmlspecialchars($document->getName())."</a>";
if ($document->getAccessMode($user) < M_ALL) { if ($document->getAccessMode($user) < M_ALL) {
UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied")); UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
@ -97,7 +97,7 @@ if ($user->isAdmin()) {
print "<option value=\"".$currUser->getID()."\""; print "<option value=\"".$currUser->getID()."\"";
if ($currUser->getID() == $owner->getID()) if ($currUser->getID() == $owner->getID())
print " selected"; print " selected";
print ">" . $currUser->getFullname() . "</option>\n"; print ">" . htmlspecialchars($currUser->getFullname()) . "</option>\n";
} }
?> ?>
</select> </select>
@ -146,7 +146,7 @@ if (count($accessList["users"]) != 0 || count($accessList["groups"]) != 0) {
print "<input type=\"Hidden\" name=\"userid\" value=\"".$userObj->getID()."\">\n"; print "<input type=\"Hidden\" name=\"userid\" value=\"".$userObj->getID()."\">\n";
print "<tr>\n"; print "<tr>\n";
print "<td><img src=\"images/usericon.gif\" class=\"mimeicon\"></td>\n"; print "<td><img src=\"images/usericon.gif\" class=\"mimeicon\"></td>\n";
print "<td>". $userObj->getFullName() . "</td>\n"; print "<td>". htmlspecialchars($userObj->getFullName()) . "</td>\n";
print "<td>\n"; print "<td>\n";
printAccessModeSelection($userAccess->getMode()); printAccessModeSelection($userAccess->getMode());
print "</td>\n"; print "</td>\n";
@ -166,7 +166,7 @@ if (count($accessList["users"]) != 0 || count($accessList["groups"]) != 0) {
print "<input type=\"Hidden\" name=\"groupid\" value=\"".$groupObj->getID()."\">"; print "<input type=\"Hidden\" name=\"groupid\" value=\"".$groupObj->getID()."\">";
print "<tr>"; print "<tr>";
print "<td><img src=\"images/groupicon.gif\" class=\"mimeicon\"></td>"; print "<td><img src=\"images/groupicon.gif\" class=\"mimeicon\"></td>";
print "<td>". $groupObj->getName() . "</td>"; print "<td>". htmlspecialchars($groupObj->getName()) . "</td>";
print "<td>"; print "<td>";
printAccessModeSelection($groupAccess->getMode()); printAccessModeSelection($groupAccess->getMode());
print "</td>\n"; print "</td>\n";
@ -194,7 +194,7 @@ foreach ($allUsers as $userObj) {
if ($userObj->isGuest()) { if ($userObj->isGuest()) {
continue; continue;
} }
print "<option value=\"".$userObj->getID()."\">" . $userObj->getFullName() . "</option>\n"; print "<option value=\"".$userObj->getID()."\">" . htmlspecialchars($userObj->getFullName()) . "</option>\n";
} }
?> ?>
</select> </select>
@ -208,7 +208,7 @@ foreach ($allUsers as $userObj) {
<?php <?php
$allGroups = $dms->getAllGroups(); $allGroups = $dms->getAllGroups();
foreach ($allGroups as $groupObj) { foreach ($allGroups as $groupObj) {
print "<option value=\"".$groupObj->getID()."\">" . $groupObj->getName() . "</option>\n"; print "<option value=\"".$groupObj->getID()."\">" . htmlspecialchars($groupObj->getName()) . "</option>\n";
} }
?> ?>
</select> </select>

9
out/out.DocumentChooser.php
View File

@ -60,11 +60,10 @@ function printTree($path, $level = 0)
else UI::printImgPath("blank.png"); else UI::printImgPath("blank.png");
print "\" border=0>\n"; print "\" border=0>\n";
if ($folder->getAccessMode($user) >= M_READ) { if ($folder->getAccessMode($user) >= M_READ) {
print "<a class=\"foldertree_selectable\" href=\"javascript:folderSelected(" . $folder->getID() . ", '" . sanitizeString($folder->getName()) . "')\">"; print "<img src=\"".UI::getImgPath("folder_opened.gif")."\" border=0>".htmlspecialchars($folder->getName())."\n";
print "<img src=\"".UI::getImgPath("folder_opened.gif")."\" border=0>".$folder->getName()."</a>\n";
} }
else else
print "<img src=\"".UI::getImgPath("folder_opened.gif")."\" width=18 height=18 border=0>".$folder->getName()."\n"; print "<img src=\"".UI::getImgPath("folder_opened.gif")."\" width=18 height=18 border=0>".htmlspecialchars($folder->getName())."\n";
print " </li>\n"; print " </li>\n";
print "<ul style='list-style-type: none;'>"; print "<ul style='list-style-type: none;'>";
@ -81,14 +80,14 @@ function printTree($path, $level = 0)
print "<a href=\"out.DocumentChooser.php?form=$form&folderid=".$subFolders[$i]->getID()."\"><img class='treeicon' src=\"".getImgPath("plus.png")."\" border=0></a>"; print "<a href=\"out.DocumentChooser.php?form=$form&folderid=".$subFolders[$i]->getID()."\"><img class='treeicon' src=\"".getImgPath("plus.png")."\" border=0></a>";
else else
print "<img class='treeicon' src=\"".getImgPath("blank.png")."\">"; print "<img class='treeicon' src=\"".getImgPath("blank.png")."\">";
print "<img src=\"".getImgPath("folder_closed.gif")."\" border=0>".$subFolders[$i]->getName()."\n"; print "<img src=\"".getImgPath("folder_closed.gif")."\" border=0>".htmlspecialchars($subFolders[$i]->getName())."\n";
print "</li>"; print "</li>";
} }
} }
for ($i = 0; $i < count($documents); $i++) { for ($i = 0; $i < count($documents); $i++) {
print "<li>\n"; print "<li>\n";
print "<img class='treeicon' src=\"images/blank.png\">"; print "<img class='treeicon' src=\"images/blank.png\">";
print "<a class=\"foldertree_selectable\" href=\"javascript:documentSelected(".$documents[$i]->getID().",'".sanitizeString($documents[$i]->getName())."');\"><img src=\"images/file.gif\" border=0>".$documents[$i]->getName()."</a>"; print "<a class=\"foldertree_selectable\" href=\"javascript:documentSelected(".$documents[$i]->getID().",'".htmlspecialchars($documents[$i]->getName(), ENT_QUOTES)."');\"><img src=\"images/file.gif\" border=0>".htmlspecialchars($documents[$i]->getName())."</a>";
print "</li>"; print "</li>";
} }

22
out/out.DocumentVersionDetail.php
View File

@ -77,13 +77,13 @@ UI::contentContainerStart();
<td> <td>
<?php <?php
$owner = $document->getOwner(); $owner = $document->getOwner();
print "<a class=\"infos\" href=\"mailto:".$owner->getEmail()."\">".$owner->getFullName()."</a>"; print "<a class=\"infos\" href=\"mailto:".$owner->getEmail()."\">".htmlspecialchars($owner->getFullName())."</a>";
?> ?>
</td> </td>
</tr> </tr>
<tr> <tr>
<td><?php printMLText("comment");?>:</td> <td><?php printMLText("comment");?>:</td>
<td><?php print $document->getComment();?></td> <td><?php print htmlspecialchars($document->getComment());?></td>
</tr> </tr>
<tr> <tr>
<td><?php printMLText("creation_date");?>:</td> <td><?php printMLText("creation_date");?>:</td>
@ -91,7 +91,7 @@ print "<a class=\"infos\" href=\"mailto:".$owner->getEmail()."\">".$owner->getFu
</tr> </tr>
<tr> <tr>
<td><?php printMLText("keywords");?>:</td> <td><?php printMLText("keywords");?>:</td>
<td><?php print $document->getKeywords();?></td> <td><?php print htmlspecialchars($document->getKeywords());?></td>
</tr> </tr>
<?php <?php
if ($document->isLocked()) { if ($document->isLocked()) {
@ -99,7 +99,7 @@ if ($document->isLocked()) {
?> ?>
<tr> <tr>
<td><?php printMLText("lock_status");?>:</td> <td><?php printMLText("lock_status");?>:</td>
<td><?php printMLText("lock_message", array("email" => $lockingUser->getEmail(), "username" => $lockingUser->getFullName()));?></td> <td><?php printMLText("lock_message", array("email" => $lockingUser->getEmail(), "username" => htmlspecialchars($lockingUser->getFullName())));?></td>
</tr> </tr>
<?php <?php
} }
@ -142,11 +142,11 @@ if ($file_exists) print "<li>". formatted_size(filesize($dms->contentDir . $vers
else print "<li><span class=\"warning\">".getMLText("document_deleted")."</span></li>"; else print "<li><span class=\"warning\">".getMLText("document_deleted")."</span></li>";
$updatingUser = $version->getUser(); $updatingUser = $version->getUser();
print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".$updatingUser->getEmail()."\">".$updatingUser->getFullName()."</a></li>"; print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".$updatingUser->getEmail()."\">".htmlspecialchars($updatingUser->getFullName())."</a></li>";
print "<li>".getLongReadableDate($version->getDate())."</li>"; print "<li>".getLongReadableDate($version->getDate())."</li>";
print "</ul></td>\n"; print "</ul></td>\n";
print "<td>".$version->getComment()."</td>"; print "<td>".htmlspecialchars($version->getComment())."</td>";
print "<td>".getOverallStatusText($status["status"])."</td>"; print "<td>".getOverallStatusText($status["status"])."</td>";
print "<td>"; print "<td>";
@ -193,7 +193,7 @@ if (is_array($reviewStatus) && count($reviewStatus)>0) {
$reqName = getMLText("unknown_user")." '".$r["required"]."'"; $reqName = getMLText("unknown_user")." '".$r["required"]."'";
} }
else { else {
$reqName = $required->getFullName(); $reqName = htmlspecialchars($required->getFullName());
} }
break; break;
case 1: // Reviewer is a group. case 1: // Reviewer is a group.
@ -202,7 +202,7 @@ if (is_array($reviewStatus) && count($reviewStatus)>0) {
$reqName = getMLText("unknown_group")." '".$r["required"]."'"; $reqName = getMLText("unknown_group")." '".$r["required"]."'";
} }
else { else {
$reqName = $required->getName(); $reqName = htmlspecialchars($required->getName());
} }
break; break;
} }
@ -239,7 +239,7 @@ if (is_array($approvalStatus) && count($approvalStatus)>0) {
$reqName = getMLText("unknown_user")." '".$r["required"]."'"; $reqName = getMLText("unknown_user")." '".$r["required"]."'";
} }
else { else {
$reqName = $required->getFullName(); $reqName = htmlspecialchars($required->getFullName());
} }
break; break;
case 1: // Approver is a group. case 1: // Approver is a group.
@ -248,7 +248,7 @@ if (is_array($approvalStatus) && count($approvalStatus)>0) {
$reqName = getMLText("unknown_group")." '".$r["required"]."'"; $reqName = getMLText("unknown_group")." '".$r["required"]."'";
} }
else { else {
$reqName = $required->getName(); $reqName = htmlspecialchars($required->getName());
} }
break; break;
} }
@ -256,7 +256,7 @@ if (is_array($approvalStatus) && count($approvalStatus)>0) {
print "<td>".$reqName."</td>\n"; print "<td>".$reqName."</td>\n";
print "<td><ul class=\"documentDetail\"><li>".$a["date"]."</li>"; print "<td><ul class=\"documentDetail\"><li>".$a["date"]."</li>";
$updateUser = $dms->getUser($a["userID"]); $updateUser = $dms->getUser($a["userID"]);
print "<li>".(is_object($updateUser) ? $updateUser->getFullName() : "unknown user id '".$a["userID"]."'")."</li></ul></td>"; print "<li>".(is_object($updateUser) ? htmlspecialchars($updateUser->getFullName()) : "unknown user id '".$a["userID"]."'")."</li></ul></td>";
print "<td>".$a["comment"]."</td>\n"; print "<td>".$a["comment"]."</td>\n";
print "<td>".getApprovalStatusText($a["status"])."</td>\n"; print "<td>".getApprovalStatusText($a["status"])."</td>\n";
print "</tr>\n"; print "</tr>\n";

4
out/out.EditComment.php
View File

@ -36,7 +36,7 @@ if (!is_object($document)) {
} }
$folder = $document->getFolder(); $folder = $document->getFolder();
$docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>"; $docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".htmlspecialchars($document->getName())."</a>";
$versionid = $_GET["version"]; $versionid = $_GET["version"];
$version = $document->getContentByVersion($versionid); $version = $document->getContentByVersion($versionid);
@ -81,7 +81,7 @@ UI::contentContainerStart();
<table cellpadding="3"> <table cellpadding="3">
<tr> <tr>
<td valign="top" class="inputDescription"><?php printMLText("comment");?>:</td> <td valign="top" class="inputDescription"><?php printMLText("comment");?>:</td>
<td><textarea name="comment" rows="4" cols="80"><?php print $version->getComment();?></textarea></td> <td><textarea name="comment" rows="4" cols="80"><?php print htmlspecialchars($version->getComment());?></textarea></td>
</tr> </tr>
<tr> <tr>
<td colspan="2"><br><input type="Submit" value="<?php printMLText("save") ?>"></td> <td colspan="2"><br><input type="Submit" value="<?php printMLText("save") ?>"></td>

10
out/out.EditDocument.php
View File

@ -35,7 +35,7 @@ if (!is_object($document)) {
} }
$folder = $document->getFolder(); $folder = $document->getFolder();
$docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>"; $docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".htmlspecialchars($document->getName())."</a>";
if ($document->getAccessMode($user) < M_READWRITE) { if ($document->getAccessMode($user) < M_READWRITE) {
UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied")); UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
@ -70,7 +70,7 @@ function checkForm()
</script> </script>
<?php <?php
UI::contentHeading(getMLText("edit_document_props") . ": " . $document->getName()); UI::contentHeading(getMLText("edit_document_props"));
UI::contentContainerStart(); UI::contentContainerStart();
?> ?>
<form action="../op/op.EditDocument.php" name="form1" onsubmit="return checkForm();" method="POST"> <form action="../op/op.EditDocument.php" name="form1" onsubmit="return checkForm();" method="POST">
@ -78,16 +78,16 @@ UI::contentContainerStart();
<table cellpadding="3"> <table cellpadding="3">
<tr> <tr>
<td class="inputDescription"><?php printMLText("name");?>:</td> <td class="inputDescription"><?php printMLText("name");?>:</td>
<td><input name="name" value="<?php print $document->getName();?>" size="60"></td> <td><input name="name" value="<?php print htmlspecialchars($document->getName());?>" size="60"></td>
</tr> </tr>
<tr> <tr>
<td valign="top" class="inputDescription"><?php printMLText("comment");?>:</td> <td valign="top" class="inputDescription"><?php printMLText("comment");?>:</td>
<td><textarea name="comment" rows="4" cols="80"><?php print $document->getComment();?></textarea></td> <td><textarea name="comment" rows="4" cols="80"><?php print htmlspecialchars($document->getComment());?></textarea></td>
</tr> </tr>
<tr> <tr>
<td valign="top" class="inputDescription"><?php printMLText("keywords");?>:</td> <td valign="top" class="inputDescription"><?php printMLText("keywords");?>:</td>
<td class="standardText"> <td class="standardText">
<textarea name="keywords" rows="2" cols="80"><?php print $document->getKeywords();?></textarea><br> <textarea name="keywords" rows="2" cols="80"><?php print htmlspecialchars($document->getKeywords());?></textarea><br>
<a href="javascript:chooseKeywords('form1.keywords');"><?php printMLText("use_default_keywords");?></a> <a href="javascript:chooseKeywords('form1.keywords');"><?php printMLText("use_default_keywords");?></a>
<script language="JavaScript"> <script language="JavaScript">
var openDlg; var openDlg;

4
out/out.EditEvent.php
View File

@ -84,11 +84,11 @@ function checkForm()
</tr> </tr>
<tr> <tr>
<td class="inputDescription"><?php printMLText("name");?>:</td> <td class="inputDescription"><?php printMLText("name");?>:</td>
<td><input name="name" value="<?php echo $event["name"];?>" size="60"></td> <td><input name="name" value="<?php echo htmlspecialchars($event["name"]);?>" size="60"></td>
</tr> </tr>
<tr> <tr>
<td valign="top" class="inputDescription"><?php printMLText("comment");?>:</td> <td valign="top" class="inputDescription"><?php printMLText("comment");?>:</td>
<td><textarea name="comment" rows="4" cols="80"><?php echo $event["comment"]?></textarea></td> <td><textarea name="comment" rows="4" cols="80"><?php echo htmlspecialchars($event["comment"])?></textarea></td>
</tr> </tr>
<tr> <tr>
<td colspan="2"><br><input type="Submit" value="<?php printMLText("edit_event");?>"></td> <td colspan="2"><br><input type="Submit" value="<?php printMLText("edit_event");?>"></td>

4
out/out.EditFolder.php
View File

@ -79,11 +79,11 @@ UI::contentContainerStart();
<table> <table>
<tr> <tr>
<td><?php printMLText("name");?>:</td> <td><?php printMLText("name");?>:</td>
<td><input name="name" value="<?php print $folder->getName();?>" size="60"></td> <td><input name="name" value="<?php print htmlspecialchars($folder->getName());?>" size="60"></td>
</tr> </tr>
<tr> <tr>
<td><?php printMLText("comment");?>:</td> <td><?php printMLText("comment");?>:</td>
<td><textarea name="comment" rows="4" cols="80"><?php print $folder->getComment();?></textarea></td> <td><textarea name="comment" rows="4" cols="80"><?php print htmlspecialchars($folder->getComment());?></textarea></td>
</tr> </tr>
<?php <?php
$parent = ($folder->getID() == $settings->_rootFolderID) ? false : $folder->getParent(); $parent = ($folder->getID() == $settings->_rootFolderID) ? false : $folder->getParent();

6
out/out.EditUserData.php
View File

@ -74,15 +74,15 @@ UI::contentContainerStart();
</tr> </tr>
<tr> <tr>
<td><?php printMLText("name");?>:</td> <td><?php printMLText("name");?>:</td>
<td><input name="fullname" value="<?php print $user->getFullName();?>" size="30"></td> <td><input name="fullname" value="<?php print htmlspecialchars($user->getFullName());?>" size="30"></td>
</tr> </tr>
<tr> <tr>
<td><?php printMLText("email");?>:</td> <td><?php printMLText("email");?>:</td>
<td><input name="email" value="<?php print $user->getEmail();?>" size="30"></td> <td><input name="email" value="<?php print htmlspecialchars($user->getEmail());?>" size="30"></td>
</tr> </tr>
<tr> <tr>
<td><?php printMLText("comment");?>:</td> <td><?php printMLText("comment");?>:</td>
<td><textarea name="comment" rows="4" cols="80"><?php print $user->getComment();?></textarea></td> <td><textarea name="comment" rows="4" cols="80"><?php print htmlspecialchars($user->getComment());?></textarea></td>
</tr> </tr>
<?php <?php

10
out/out.FolderAccess.php
View File

@ -95,7 +95,7 @@ if ($user->isAdmin()) {
print "<option value=\"".$currUser->getID()."\""; print "<option value=\"".$currUser->getID()."\"";
if ($currUser->getID() == $owner->getID()) if ($currUser->getID() == $owner->getID())
print " selected"; print " selected";
print ">" . $currUser->getFullname() . "</option>\n"; print ">" . htmlspecialchars($currUser->getFullname()) . "</option>\n";
} }
?> ?>
</select> </select>
@ -146,7 +146,7 @@ if ((count($accessList["users"]) != 0) || (count($accessList["groups"]) != 0)) {
print "<input type=\"Hidden\" name=\"userid\" value=\"".$userObj->getID()."\">\n"; print "<input type=\"Hidden\" name=\"userid\" value=\"".$userObj->getID()."\">\n";
print "<tr>\n"; print "<tr>\n";
print "<td><img src=\"images/usericon.gif\" class=\"mimeicon\"></td>\n"; print "<td><img src=\"images/usericon.gif\" class=\"mimeicon\"></td>\n";
print "<td>". $userObj->getFullName() . "</td>\n"; print "<td>". htmlspecialchars($userObj->getFullName()) . "</td>\n";
print "<td>\n"; print "<td>\n";
printAccessModeSelection($userAccess->getMode()); printAccessModeSelection($userAccess->getMode());
print "</td>\n"; print "</td>\n";
@ -166,7 +166,7 @@ if ((count($accessList["users"]) != 0) || (count($accessList["groups"]) != 0)) {
print "<input type=\"Hidden\" name=\"groupid\" value=\"".$groupObj->getID()."\">"; print "<input type=\"Hidden\" name=\"groupid\" value=\"".$groupObj->getID()."\">";
print "<tr>"; print "<tr>";
print "<td><img src=\"images/groupicon.gif\" class=\"mimeicon\"></td>"; print "<td><img src=\"images/groupicon.gif\" class=\"mimeicon\"></td>";
print "<td>". $groupObj->getName() . "</td>"; print "<td>". htmlspecialchars($groupObj->getName()) . "</td>";
print "<td>"; print "<td>";
printAccessModeSelection($groupAccess->getMode()); printAccessModeSelection($groupAccess->getMode());
print "</td>\n"; print "</td>\n";
@ -194,7 +194,7 @@ foreach ($allUsers as $userObj) {
if ($userObj->isGuest()) { if ($userObj->isGuest()) {
continue; continue;
} }
print "<option value=\"".$userObj->getID()."\">" . $userObj->getFullName() . "\n"; print "<option value=\"".$userObj->getID()."\">" . htmlspecialchars($userObj->getFullName()) . "\n";
} }
?> ?>
</select> </select>
@ -208,7 +208,7 @@ foreach ($allUsers as $userObj) {
<?php <?php
$allGroups = $dms->getAllGroups(); $allGroups = $dms->getAllGroups();
foreach ($allGroups as $groupObj) { foreach ($allGroups as $groupObj) {
print "<option value=\"".$groupObj->getID()."\">" . $groupObj->getName() . "\n"; print "<option value=\"".$groupObj->getID()."\">" . htmlspecialchars($groupObj->getName()) . "\n";
} }
?> ?>
</select> </select>

14
out/out.FolderNotify.php
View File

@ -38,12 +38,12 @@ if (!is_object($folder)) {
$folderPathHTML = getFolderPathHTML($folder, true); $folderPathHTML = getFolderPathHTML($folder, true);
if ($folder->getAccessMode($user) < M_READ) { if ($folder->getAccessMode($user) < M_READ) {
UI::exitError(getMLText("folder_title", array("foldername" => $folder->getName())),getMLText("access_denied")); UI::exitError(getMLText("folder_title", array("foldername" => htmlspecialchars($folder->getName()))),getMLText("access_denied"));
} }
$notifyList = $folder->getNotifyList(); $notifyList = $folder->getNotifyList();
UI::htmlStartPage(getMLText("folder_title", array("foldername" => $folder->getName()))); UI::htmlStartPage(getMLText("folder_title", array("foldername" => htmlspecialchars($folder->getName()))));
UI::globalNavigation($folder); UI::globalNavigation($folder);
UI::pageNavigation($folderPathHTML, "view_folder", $folder); UI::pageNavigation($folderPathHTML, "view_folder", $folder);
@ -81,7 +81,7 @@ else {
foreach ($notifyList["users"] as $userNotify) { foreach ($notifyList["users"] as $userNotify) {
print "<tr>"; print "<tr>";
print "<td><img src=\"images/usericon.gif\" class=\"mimeicon\"></td>"; print "<td><img src=\"images/usericon.gif\" class=\"mimeicon\"></td>";
print "<td>" . $userNotify->getFullName() . "</td>"; print "<td>" . htmlspecialchars($userNotify->getFullName()) . "</td>";
if ($user->isAdmin() || $user->getID() == $userNotify->getID()) { if ($user->isAdmin() || $user->getID() == $userNotify->getID()) {
print "<td><a href=\"../op/op.FolderNotify.php?folderid=". $folderid . "&action=delnotify&userid=".$userNotify->getID()."\"><img src=\"images/del.gif\" class=\"mimeicon\"></a>".getMLText("delete")."</td>"; print "<td><a href=\"../op/op.FolderNotify.php?folderid=". $folderid . "&action=delnotify&userid=".$userNotify->getID()."\"><img src=\"images/del.gif\" class=\"mimeicon\"></a>".getMLText("delete")."</td>";
}else print "<td></td>"; }else print "<td></td>";
@ -92,7 +92,7 @@ else {
foreach ($notifyList["groups"] as $groupNotify) { foreach ($notifyList["groups"] as $groupNotify) {
print "<tr>"; print "<tr>";
print "<td><img src=\"images/groupicon.gif\" class=\"mimeicon\"></td>"; print "<td><img src=\"images/groupicon.gif\" class=\"mimeicon\"></td>";
print "<td>" . $groupNotify->getName() . "</td>"; print "<td>" . htmlspecialchars($groupNotify->getName()) . "</td>";
if ($user->isAdmin() || $groupNotify->isMember($user,true)) { if ($user->isAdmin() || $groupNotify->isMember($user,true)) {
print "<td><a href=\"../op/op.FolderNotify.php?folderid=". $folderid . "&action=delnotify&groupid=".$groupNotify->getID()."\"><img src=\"images/del.gif\" class=\"mimeicon\"></a>".getMLText("delete")."</td>"; print "<td><a href=\"../op/op.FolderNotify.php?folderid=". $folderid . "&action=delnotify&groupid=".$groupNotify->getID()."\"><img src=\"images/del.gif\" class=\"mimeicon\"></a>".getMLText("delete")."</td>";
}else print "<td></td>"; }else print "<td></td>";
@ -118,11 +118,11 @@ print "</table>\n";
$allUsers = $dms->getAllUsers(); $allUsers = $dms->getAllUsers();
foreach ($allUsers as $userObj) { foreach ($allUsers as $userObj) {
if (!$userObj->isGuest() && ($folder->getAccessMode($userObj) >= M_READ) && !in_array($userObj->getID(), $userNotifyIDs)) if (!$userObj->isGuest() && ($folder->getAccessMode($userObj) >= M_READ) && !in_array($userObj->getID(), $userNotifyIDs))
print "<option value=\"".$userObj->getID()."\">" . $userObj->getFullName() . "\n"; print "<option value=\"".$userObj->getID()."\">" . htmlspecialchars($userObj->getFullName()) . "\n";
} }
} }
elseif (!$user->isGuest() && !in_array($user->getID(), $userNotifyIDs)) { elseif (!$user->isGuest() && !in_array($user->getID(), $userNotifyIDs)) {
print "<option value=\"".$user->getID()."\">" . $user->getFullName() . "\n"; print "<option value=\"".$user->getID()."\">" . htmlspecialchars($user->getFullName()) . "\n";
} }
?> ?>
</select> </select>
@ -137,7 +137,7 @@ print "</table>\n";
$allGroups = $dms->getAllGroups(); $allGroups = $dms->getAllGroups();
foreach ($allGroups as $groupObj) { foreach ($allGroups as $groupObj) {
if (($user->isAdmin() || $groupObj->isMember($user,true)) && $folder->getGroupAccessMode($groupObj) >= M_READ && !in_array($groupObj->getID(), $groupNotifyIDs)) { if (($user->isAdmin() || $groupObj->isMember($user,true)) && $folder->getGroupAccessMode($groupObj) >= M_READ && !in_array($groupObj->getID(), $groupNotifyIDs)) {
print "<option value=\"".$groupObj->getID()."\">" . $groupObj->getName() . "\n"; print "<option value=\"".$groupObj->getID()."\">" . htmlspecialchars($groupObj->getName()) . "\n";
} }
} }
?> ?>

12
out/out.GroupMgr.php
View File

@ -115,7 +115,7 @@ UI::contentContainerStart();
foreach ($groups as $group) { foreach ($groups as $group) {
if (isset($_GET["groupid"]) && $group->getID()==$_GET["groupid"]) $selected=$count; if (isset($_GET["groupid"]) && $group->getID()==$_GET["groupid"]) $selected=$count;
print "<option value=\"".$group->getID()."\">" . $group->getName(); print "<option value=\"".$group->getID()."\">" . htmlspecialchars($group->getName());
$count++; $count++;
} }
?> ?>
@ -150,7 +150,7 @@ UI::contentContainerStart();
print "<td id=\"keywords".$group->getID()."\" style=\"display : none;\">"; print "<td id=\"keywords".$group->getID()."\" style=\"display : none;\">";
UI::contentSubHeading(getMLText("group")." : ".$group->getName()); UI::contentSubHeading(getMLText("group")." : ".htmlspecialchars($group->getName()));
?> ?>
@ -166,11 +166,11 @@ UI::contentContainerStart();
<table> <table>
<tr> <tr>
<td><?php printMLText("name");?>:</td> <td><?php printMLText("name");?>:</td>
<td><input name="name" value="<?php print $group->getName();?>"></td> <td><input name="name" value="<?php print htmlspecialchars($group->getName());?>"></td>
</tr> </tr>
<tr> <tr>
<td><?php printMLText("comment");?>:</td> <td><?php printMLText("comment");?>:</td>
<td><textarea name="comment" rows="4" cols="50"><?php print $group->getComment();?></textarea></td> <td><textarea name="comment" rows="4" cols="50"><?php print htmlspecialchars($group->getComment());?></textarea></td>
</tr> </tr>
<tr> <tr>
<td colspan="2"><input type="Submit" value="<?php printMLText("save");?>"></td> <td colspan="2"><input type="Submit" value="<?php printMLText("save");?>"></td>
@ -191,7 +191,7 @@ UI::contentContainerStart();
print "<tr>"; print "<tr>";
print "<td><img src=\"images/usericon.gif\" width=16 height=16></td>"; print "<td><img src=\"images/usericon.gif\" width=16 height=16></td>";
print "<td>" . $member->getFullName() . "</td>"; print "<td>" . htmlspecialchars($member->getFullName()) . "</td>";
print "<td>" . ($group->isMember($member,true)?getMLText("manager"):"&nbsp;") . "</td>"; print "<td>" . ($group->isMember($member,true)?getMLText("manager"):"&nbsp;") . "</td>";
print "<td align=\"right\"><ul class=\"actions\">"; print "<td align=\"right\"><ul class=\"actions\">";
print "<li><a href=\"../op/op.GroupMgr.php?groupid=". $group->getID() . "&userid=".$member->getID()."&action=rmmember\">".getMLText("delete")."</a>"; print "<li><a href=\"../op/op.GroupMgr.php?groupid=". $group->getID() . "&userid=".$member->getID()."&action=rmmember\">".getMLText("delete")."</a>";
@ -220,7 +220,7 @@ UI::contentContainerStart();
<?php <?php
foreach ($allUsers as $currUser) foreach ($allUsers as $currUser)
if (!$group->isMember($currUser)) if (!$group->isMember($currUser))
print "<option value=\"".$currUser->getID()."\">" . $currUser->getFullName() . "\n"; print "<option value=\"".$currUser->getID()."\">" . htmlspecialchars($currUser->getFullName()) . "\n";
?> ?>
</select> </select>
</td> </td>

8
out/out.GroupView.php
View File

@ -58,9 +58,9 @@ foreach ($groups as $group){
$managers = $group->getManagers(); $managers = $group->getManagers();
$ismanager = false; /* set to true if current user is manager */ $ismanager = false; /* set to true if current user is manager */
echo "<li>".$group->getName(); echo "<li>".htmlspecialchars($group->getName());
if($group->getComment()) if($group->getComment())
echo " : ".$group->getComment(); echo " : ".htmlspecialchars($group->getComment());
foreach($managers as $manager) foreach($managers as $manager)
if($manager->getId() == $user->getId()) { if($manager->getId() == $user->getId()) {
echo " : you are the manager of this group"; echo " : you are the manager of this group";
@ -73,7 +73,7 @@ foreach ($groups as $group){
foreach ($members as $member) { foreach ($members as $member) {
$memberids[] = $member->getId(); $memberids[] = $member->getId();
echo "<li>".$member->getFullName(); echo "<li>".htmlspecialchars($member->getFullName());
if ($member->getEmail()!="") if ($member->getEmail()!="")
echo " (<a href=\"mailto:".$member->getEmail()."\">".$member->getEmail()."</a>)"; echo " (<a href=\"mailto:".$member->getEmail()."\">".$member->getEmail()."</a>)";
foreach($managers as $manager) foreach($managers as $manager)
@ -92,7 +92,7 @@ foreach ($groups as $group){
echo "<option value=\"\"></option>"; echo "<option value=\"\"></option>";
foreach($users as $u) { foreach($users as $u) {
if(!$u->isAdmin() && !$u->isGuest() && !in_array($u->getId(), $memberids)) if(!$u->isAdmin() && !$u->isGuest() && !in_array($u->getId(), $memberids))
echo "<option value=\"".$u->getId()."\">".$u->getFullName()."</option>"; echo "<option value=\"".$u->getId()."\">".htmlspecialchars($u->getFullName())."</option>";
} }
echo "</select>"; echo "</select>";
echo "</form>"; echo "</form>";

4
out/out.Indexer.php
View File

@ -28,14 +28,14 @@ include("../inc/inc.Authentication.php");
function tree($folder, $indent='') { /* {{{ */ function tree($folder, $indent='') { /* {{{ */
global $index, $dms; global $index, $dms;
echo $indent."D ".$folder->getName()."\n"; echo $indent."D ".htmlspecialchars($folder->getName())."\n";
$subfolders = $folder->getSubFolders(); $subfolders = $folder->getSubFolders();
foreach($subfolders as $subfolder) { foreach($subfolders as $subfolder) {
tree($subfolder, $indent.' '); tree($subfolder, $indent.' ');
} }
$documents = $folder->getDocuments(); $documents = $folder->getDocuments();
foreach($documents as $document) { foreach($documents as $document) {
echo $indent." ".$document->getId().":".$document->getName()." "; echo $indent." ".$document->getId().":".htmlspecialchars($document->getName())." ";
/* If the document wasn't indexed before then just add it */ /* If the document wasn't indexed before then just add it */
if(!($hits = $index->find('document_id:'.$document->getId()))) { if(!($hits = $index->find('document_id:'.$document->getId()))) {
$index->addDocument(new LetoDMS_Lucene_IndexedDocument($dms, $document)); $index->addDocument(new LetoDMS_Lucene_IndexedDocument($dms, $document));

8
out/out.KeywordChooser.php
View File

@ -127,7 +127,7 @@ UI::contentContainerStart();
if (!$owner->isAdmin()) if (!$owner->isAdmin())
continue; continue;
print "<option value=\"".$category->getID()."\">" . $category->getName(); print "<option value=\"".$category->getID()."\">" . htmlspecialchars($category->getName());
} }
?> ?>
</select> </select>
@ -149,7 +149,7 @@ UI::contentContainerStart();
else { else {
print "<ul>"; print "<ul>";
foreach ($lists as $list) { foreach ($lists as $list) {
print "<li><a href='javascript:insertKeywords(\"$list[keywords]\");'>$list[keywords]</a></li>"; print "<li><a href='javascript:insertKeywords(\"".htmlspecialchars($list["keywords"])."\");'>".htmlspecialchars($list["keywords"])."</a></li>";
} }
print "</ul>"; print "</ul>";
} }
@ -171,7 +171,7 @@ UI::contentContainerStart();
if ($owner->isAdmin()) if ($owner->isAdmin())
continue; continue;
print "<option value=\"".$category->getID()."\">" . $category->getName(); print "<option value=\"".$category->getID()."\">" . htmlspecialchars($category->getName());
} }
?> ?>
</select> </select>
@ -192,7 +192,7 @@ UI::contentContainerStart();
else { else {
print "<ul>"; print "<ul>";
foreach ($lists as $list) { foreach ($lists as $list) {
print "<li><a href='javascript:insertKeywords(\"$list[keywords]\");'>$list[keywords]</a></li>"; print "<li><a href='javascript:insertKeywords(\"".htmlspecialchars($list["keywords"])."\");'>".htmlspecialchars($list["keywords"])."</a></li>";
} }
print "</ul>"; print "</ul>";
} }

8
out/out.ManageNotify.php
View File

@ -83,8 +83,8 @@ function printFolderNotificationList($ret,$deleteaction=true) {
$owner = $fld->getOwner(); $owner = $fld->getOwner();
print "<tr class=\"folder\">"; print "<tr class=\"folder\">";
print "<td><img src=\"images/folder_closed.gif\" width=18 height=18 border=0></td>"; print "<td><img src=\"images/folder_closed.gif\" width=18 height=18 border=0></td>";
print "<td><a href=\"../out/out.ViewFolder.php?folderid=".$ID."\">" . $fld->getName() . "</a></td>\n"; print "<td><a href=\"../out/out.ViewFolder.php?folderid=".$ID."\">" . htmlspecialchars($fld->getName()) . "</a></td>\n";
print "<td>".$owner->getFullName()."</td>"; print "<td>".htmlspecialchars($owner->getFullName())."</td>";
print "<td><ul class=\"actions\">"; print "<td><ul class=\"actions\">";
if ($deleteaction) print "<li><a href='../op/op.ManageNotify.php?id=".$ID."&type=folder&action=del'>".getMLText("delete")."</a>"; if ($deleteaction) print "<li><a href='../op/op.ManageNotify.php?id=".$ID."&type=folder&action=del'>".getMLText("delete")."</a>";
else print "<li><a href='../out/out.FolderNotify.php?folderid=".$ID."'>".getMLText("edit")."</a>"; else print "<li><a href='../out/out.FolderNotify.php?folderid=".$ID."'>".getMLText("edit")."</a>";
@ -119,8 +119,8 @@ function printDocumentNotificationList($ret,$deleteaction=true) {
$status = $latest->getStatus(); $status = $latest->getStatus();
print "<tr>\n"; print "<tr>\n";
print "<td><img src=\"images/file.gif\" width=18 height=18 border=0></td>"; print "<td><img src=\"images/file.gif\" width=18 height=18 border=0></td>";
print "<td><a href=\"../out/out.ViewDocument.php?documentid=".$ID."\">" . $doc->getName() . "</a></td>\n"; print "<td><a href=\"../out/out.ViewDocument.php?documentid=".$ID."\">" . htmlspecialchars($doc->getName()) . "</a></td>\n";
print "<td>".$owner->getFullName()."</td>"; print "<td>".htmlspecialchars($owner->getFullName())."</td>";
print "<td>".getOverallStatusText($status["status"])."</td>"; print "<td>".getOverallStatusText($status["status"])."</td>";
print "<td class=\"center\">".$latest->getVersion()."</td>"; print "<td class=\"center\">".$latest->getVersion()."</td>";
print "<td><ul class=\"actions\">"; print "<td><ul class=\"actions\">";

2
out/out.MoveDocument.php
View File

@ -36,7 +36,7 @@ if (!is_object($document)) {
} }
$folder = $document->getFolder(); $folder = $document->getFolder();
$docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>"; $docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".htmlspecialchars($document->getName())."</a>";
if ($document->getAccessMode($user) < M_READWRITE) { if ($document->getAccessMode($user) < M_READWRITE) {
UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied")); UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));

4
out/out.MyAccount.php
View File

@ -45,13 +45,13 @@ if ($settings->_enableUserImage){
print "<tr>\n"; print "<tr>\n";
print "<td>".getMLText("name")." : </td>\n"; print "<td>".getMLText("name")." : </td>\n";
print "<td>".$user->getFullName().($user->isAdmin() ? " (".getMLText("admin").")" : "")."</td>\n"; print "<td>".htmlspecialchars($user->getFullName()).($user->isAdmin() ? " (".getMLText("admin").")" : "")."</td>\n";
print "</tr>\n<tr>\n"; print "</tr>\n<tr>\n";
print "<td>".getMLText("user_login")." : </td>\n"; print "<td>".getMLText("user_login")." : </td>\n";
print "<td>".$user->getLogin()."</td>\n"; print "<td>".$user->getLogin()."</td>\n";
print "</tr>\n<tr>\n"; print "</tr>\n<tr>\n";
print "<td>".getMLText("email")." : </td>\n"; print "<td>".getMLText("email")." : </td>\n";
print "<td>".$user->getEmail()."</td>\n"; print "<td>".htmlspecialchars($user->getEmail())."</td>\n";
print "</tr>\n<tr>\n"; print "</tr>\n<tr>\n";
print "<td>".getMLText("comment")." : </td>\n"; print "<td>".getMLText("comment")." : </td>\n";
print "<td>".$user->getComment()."</td>\n"; print "<td>".$user->getComment()."</td>\n";

36
out/out.MyDocuments.php
View File

@ -153,10 +153,10 @@ if ($showInProcess){
} }
print "<tr>\n"; print "<tr>\n";
print "<td><a href=\"out.ViewDocument.php?documentid=".$st["documentID"]."\">".$docIdx[$st["documentID"]][$st["version"]]["name"]."</a></td>"; print "<td><a href=\"out.ViewDocument.php?documentid=".$st["documentID"]."\">".htmlspecialchars($docIdx[$st["documentID"]][$st["version"]]["name"])."</a></td>";
print "<td>".$docIdx[$st["documentID"]][$st["version"]]["ownerName"]."</td>"; print "<td>".htmlspecialchars($docIdx[$st["documentID"]][$st["version"]]["ownerName"])."</td>";
print "<td>".$st["version"]."</td>"; print "<td>".$st["version"]."</td>";
print "<td>".$st["date"]." ". $docIdx[$st["documentID"]][$st["version"]]["statusName"] ."</td>"; print "<td>".$st["date"]." ". htmlspecialchars($docIdx[$st["documentID"]][$st["version"]]["statusName"]) ."</td>";
print "<td".($docIdx[$st["documentID"]][$st["version"]]['status']!=S_EXPIRED?"":" class=\"warning\"").">".(!$docIdx[$st["documentID"]][$st["version"]]["expires"] ? "-":getReadableDate($docIdx[$st["documentID"]][$st["version"]]["expires"]))."</td>"; print "<td".($docIdx[$st["documentID"]][$st["version"]]['status']!=S_EXPIRED?"":" class=\"warning\"").">".(!$docIdx[$st["documentID"]][$st["version"]]["expires"] ? "-":getReadableDate($docIdx[$st["documentID"]][$st["version"]]["expires"]))."</td>";
print "</tr>\n"; print "</tr>\n";
} }
@ -178,10 +178,10 @@ if ($showInProcess){
} }
print "<tr>\n"; print "<tr>\n";
print "<td><a href=\"out.ViewDocument.php?documentid=".$st["documentID"]."\">".$docIdx[$st["documentID"]][$st["version"]]["name"]."</a></td>"; print "<td><a href=\"out.ViewDocument.php?documentid=".$st["documentID"]."\">".htmlspecialchars($docIdx[$st["documentID"]][$st["version"]]["name"])."</a></td>";
print "<td>".$docIdx[$st["documentID"]][$st["version"]]["ownerName"]."</td>"; print "<td>".htmlspecialchars($docIdx[$st["documentID"]][$st["version"]]["ownerName"])."</td>";
print "<td>".$st["version"]."</td>"; print "<td>".$st["version"]."</td>";
print "<td>".$st["date"]." ". $docIdx[$st["documentID"]][$st["version"]]["statusName"]."</td>"; print "<td>".$st["date"]." ". htmlspecialchars($docIdx[$st["documentID"]][$st["version"]]["statusName"])."</td>";
print "<td".($docIdx[$st["documentID"]][$st["version"]]['status']!=S_EXPIRED?"":" class=\"warning\"").">".(!$docIdx[$st["documentID"]][$st["version"]]["expires"] ? "-":getReadableDate($docIdx[$st["documentID"]][$st["version"]]["expires"]))."</td>"; print "<td".($docIdx[$st["documentID"]][$st["version"]]['status']!=S_EXPIRED?"":" class=\"warning\"").">".(!$docIdx[$st["documentID"]][$st["version"]]["expires"] ? "-":getReadableDate($docIdx[$st["documentID"]][$st["version"]]["expires"]))."</td>";
print "</tr>\n"; print "</tr>\n";
} }
@ -214,10 +214,10 @@ if ($showInProcess){
$printheader=false; $printheader=false;
} }
print "<tr>\n"; print "<tr>\n";
print "<td><a href=\"out.ViewDocument.php?documentid=".$st["documentID"]."\">".$docIdx[$st["documentID"]][$st["version"]]["name"]."</a></td>"; print "<td><a href=\"out.ViewDocument.php?documentid=".$st["documentID"]."\">".htmlspecialchars($docIdx[$st["documentID"]][$st["version"]]["name"])."</a></td>";
print "<td>".$docIdx[$st["documentID"]][$st["version"]]["ownerName"]."</td>"; print "<td>".htmlspecialchars($docIdx[$st["documentID"]][$st["version"]]["ownerName"])."</td>";
print "<td>".$st["version"]."</td>"; print "<td>".$st["version"]."</td>";
print "<td>".$st["date"]." ". $docIdx[$st["documentID"]][$st["version"]]["statusName"]."</td>"; print "<td>".$st["date"]." ". htmlspecialchars($docIdx[$st["documentID"]][$st["version"]]["statusName"])."</td>";
print "<td".($docIdx[$st["documentID"]][$st["version"]]['status']!=S_EXPIRED?"":" class=\"warning\"").">".(!$docIdx[$st["documentID"]][$st["version"]]["expires"] ? "-":getReadableDate($docIdx[$st["documentID"]][$st["version"]]["expires"]))."</td>"; print "<td".($docIdx[$st["documentID"]][$st["version"]]['status']!=S_EXPIRED?"":" class=\"warning\"").">".(!$docIdx[$st["documentID"]][$st["version"]]["expires"] ? "-":getReadableDate($docIdx[$st["documentID"]][$st["version"]]["expires"]))."</td>";
print "</tr>\n"; print "</tr>\n";
} }
@ -237,10 +237,10 @@ if ($showInProcess){
$printheader=false; $printheader=false;
} }
print "<tr>\n"; print "<tr>\n";
print "<td><a href=\"out.ViewDocument.php?documentid=".$st["documentID"]."\">".$docIdx[$st["documentID"]][$st["version"]]["name"]."</a></td>"; print "<td><a href=\"out.ViewDocument.php?documentid=".$st["documentID"]."\">".htmlspecialchars($docIdx[$st["documentID"]][$st["version"]]["name"])."</a></td>";
print "<td>".$docIdx[$st["documentID"]][$st["version"]]["ownerName"]."</td>"; print "<td>".htmlspecialchars($docIdx[$st["documentID"]][$st["version"]]["ownerName"])."</td>";
print "<td>".$st["version"]."</td>"; print "<td>".$st["version"]."</td>";
print "<td>".$st["date"]." ". $docIdx[$st["documentID"]][$st["version"]]["statusName"]."</td>"; print "<td>".$st["date"]." ". htmlspecialchars($docIdx[$st["documentID"]][$st["version"]]["statusName"])."</td>";
print "<td".($docIdx[$st["documentID"]][$st["version"]]['status']!=S_EXPIRED?"":" class=\"warning\"").">".(!$docIdx[$st["documentID"]][$st["version"]]["expires"] ? "-":getReadableDate($docIdx[$st["documentID"]][$st["version"]]["expires"]))."</td>"; print "<td".($docIdx[$st["documentID"]][$st["version"]]['status']!=S_EXPIRED?"":" class=\"warning\"").">".(!$docIdx[$st["documentID"]][$st["version"]]["expires"] ? "-":getReadableDate($docIdx[$st["documentID"]][$st["version"]]["expires"]))."</td>";
print "</tr>\n"; print "</tr>\n";
} }
@ -316,10 +316,10 @@ if ($showInProcess){
} }
print "<tr>\n"; print "<tr>\n";
print "<td><a href=\"out.ViewDocument.php?documentid=".$res["documentID"]."\">" . $res["name"] . "</a></td>\n"; print "<td><a href=\"out.ViewDocument.php?documentid=".$res["documentID"]."\">" . htmlspecialchars($res["name"]) . "</a></td>\n";
print "<td>".getOverallStatusText($res["status"])."</td>"; print "<td>".getOverallStatusText($res["status"])."</td>";
print "<td>".$res["version"]."</td>"; print "<td>".$res["version"]."</td>";
print "<td>".$res["statusDate"]." ".$res["statusName"]."</td>"; print "<td>".$res["statusDate"]." ".htmlspecialchars($res["statusName"])."</td>";
print "<td>".(!$res["expires"] ? "-":getReadableDate($res["expires"]))."</td>"; print "<td>".(!$res["expires"] ? "-":getReadableDate($res["expires"]))."</td>";
print "</tr>\n"; print "</tr>\n";
} }
@ -381,10 +381,10 @@ if ($showInProcess){
} }
print "<tr>\n"; print "<tr>\n";
print "<td><a href=\"out.ViewDocument.php?documentid=".$res["documentID"]."\">" . $res["name"] . "</a></td>\n"; print "<td><a href=\"out.ViewDocument.php?documentid=".$res["documentID"]."\">" . htmlspecialchars($res["name"]) . "</a></td>\n";
print "<td>".getOverallStatusText($res["status"])."</td>"; print "<td>".getOverallStatusText($res["status"])."</td>";
print "<td>".$res["version"]."</td>"; print "<td>".$res["version"]."</td>";
print "<td>".$res["statusDate"]." ".$res["statusName"]."</td>"; print "<td>".$res["statusDate"]." ".htmlspecialchars($res["statusName"])."</td>";
print "<td>".(!$res["expires"] ? "-":getReadableDate($res["expires"]))."</td>"; print "<td>".(!$res["expires"] ? "-":getReadableDate($res["expires"]))."</td>";
print "</tr>\n"; print "</tr>\n";
} }
@ -466,10 +466,10 @@ else {
} }
print "<tr>\n"; print "<tr>\n";
print "<td><a href=\"out.ViewDocument.php?documentid=".$res["documentID"]."\">" . $res["name"] . "</a></td>\n"; print "<td><a href=\"out.ViewDocument.php?documentid=".$res["documentID"]."\">" . htmlspecialchars($res["name"]) . "</a></td>\n";
print "<td>".getOverallStatusText($res["status"])."</td>"; print "<td>".getOverallStatusText($res["status"])."</td>";
print "<td>".$res["version"]."</td>"; print "<td>".$res["version"]."</td>";
print "<td>".$res["statusDate"]." ". $res["statusName"]."</td>"; print "<td>".$res["statusDate"]." ". htmlspecialchars($res["statusName"])."</td>";
//print "<td>".(!$res["expires"] ? getMLText("does_not_expire"):getReadableDate($res["expires"]))."</td>"; //print "<td>".(!$res["expires"] ? getMLText("does_not_expire"):getReadableDate($res["expires"]))."</td>";
print "<td>".(!$res["expires"] ? "-":getReadableDate($res["expires"]))."</td>"; print "<td>".(!$res["expires"] ? "-":getReadableDate($res["expires"]))."</td>";
print "</tr>\n"; print "</tr>\n";

8
out/out.ObjectCheck.php
View File

@ -39,13 +39,13 @@ function tree($folder, $repair, $path=':', $indent='') { /* {{{ */
print "<td><a class=\"standardText\" href=\"../out/out.ViewFolder.php?folderid=".$folder->getID()."\">"; print "<td><a class=\"standardText\" href=\"../out/out.ViewFolder.php?folderid=".$folder->getID()."\">";
$tmppath = $folder->getPath(); $tmppath = $folder->getPath();
for ($i = 1; $i < count($tmppath); $i++) { for ($i = 1; $i < count($tmppath); $i++) {
print "/".$tmppath[$i]->getName(); print "/".htmlspecialchars($tmppath[$i]->getName());
} }
print $foldername; print $foldername;
print "</a></td>"; print "</a></td>";
$owner = $folder->getOwner(); $owner = $folder->getOwner();
print "<td>".$owner->getFullName()."</td>"; print "<td>".htmlspecialchars($owner->getFullName())."</td>";
print "<td>Folderlist is '".$folderList."', should be '".$path."'</td>"; print "<td>Folderlist is '".$folderList."', should be '".$path."'</td>";
if($repair) { if($repair) {
$folder->repair(); $folder->repair();
@ -74,12 +74,12 @@ function tree($folder, $repair, $path=':', $indent='') { /* {{{ */
$folder = $document->getFolder(); $folder = $document->getFolder();
$tmppath = $folder->getPath(); $tmppath = $folder->getPath();
for ($i = 1; $i < count($tmppath); $i++) { for ($i = 1; $i < count($tmppath); $i++) {
print $tmppath[$i]->getName()."/"; print htmlspecialchars($tmppath[$i]->getName())."/";
} }
print $document->getName(); print $document->getName();
print "</a></td>"; print "</a></td>";
$owner = $document->getOwner(); $owner = $document->getOwner();
print "<td>".$owner->getFullName()."</td>"; print "<td>".htmlspecialchars($owner->getFullName())."</td>";
print "<td>Folderlist is '".$folderList."', should be '".$path."'</td>"; print "<td>Folderlist is '".$folderList."', should be '".$path."'</td>";
if($repair) { if($repair) {
$document->repair(); $document->repair();

2
out/out.OverrideContentStatus.php
View File

@ -37,7 +37,7 @@ if (!is_object($document)) {
} }
$folder = $document->getFolder(); $folder = $document->getFolder();
$docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>"; $docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".htmlspecialchars($document->getName())."</a>";
if ($document->getAccessMode($user) < M_ALL) { if ($document->getAccessMode($user) < M_ALL) {
UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied")); UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));

4
out/out.RemoveDocument.php
View File

@ -36,7 +36,7 @@ if (!is_object($document)) {
} }
$folder = $document->getFolder(); $folder = $document->getFolder();
$docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>"; $docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".htmlspecialchars($document->getName())."</a>";
if ($document->getAccessMode($user) < M_ALL) { if ($document->getAccessMode($user) < M_ALL) {
UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied")); UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
@ -52,7 +52,7 @@ UI::contentContainerStart();
<form action="../op/op.RemoveDocument.php" name="form1" method="POST"> <form action="../op/op.RemoveDocument.php" name="form1" method="POST">
<input type="Hidden" name="documentid" value="<?php print $documentid;?>"> <input type="Hidden" name="documentid" value="<?php print $documentid;?>">
<p> <p>
<?php printMLText("confirm_rm_document", array ("documentname" => $document->getName()));?> <?php printMLText("confirm_rm_document", array ("documentname" => htmlspecialchars($document->getName())));?>
</p> </p>
<p><input type="Submit" value="<?php printMLText("rm_document");?>"></p> <p><input type="Submit" value="<?php printMLText("rm_document");?>"></p>
</form> </form>

4
out/out.RemoveDocumentFile.php
View File

@ -35,7 +35,7 @@ if (!is_object($document)) {
} }
$folder = $document->getFolder(); $folder = $document->getFolder();
$docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>"; $docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".htmlspecialchars($document->getName())."</a>";
if (!isset($_GET["fileid"]) || !is_numeric($_GET["fileid"]) || intval($_GET["fileid"])<1) { if (!isset($_GET["fileid"]) || !is_numeric($_GET["fileid"]) || intval($_GET["fileid"])<1) {
UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_file_id")); UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_file_id"));
@ -63,7 +63,7 @@ UI::contentContainerStart();
<form action="../op/op.RemoveDocumentFile.php" name="form1" method="POST"> <form action="../op/op.RemoveDocumentFile.php" name="form1" method="POST">
<input type="Hidden" name="documentid" value="<?php echo $documentid?>"> <input type="Hidden" name="documentid" value="<?php echo $documentid?>">
<input type="Hidden" name="fileid" value="<?php echo $fileid?>"> <input type="Hidden" name="fileid" value="<?php echo $fileid?>">
<p><?php printMLText("confirm_rm_file", array ("documentname" => $document->getName(), "name" => $file->getName()));?></p> <p><?php printMLText("confirm_rm_file", array ("documentname" => $document->getName(), "name" => htmlspecialchars($file->getName())));?></p>
<input type="Submit" value="<?php printMLText("rm_file");?>"> <input type="Submit" value="<?php printMLText("rm_file");?>">
</form> </form>
<?php <?php

2
out/out.RemoveEvent.php
View File

@ -46,7 +46,7 @@ UI::contentContainerStart();
?> ?>
<form action="../op/op.RemoveEvent.php" name="form1" method="POST"> <form action="../op/op.RemoveEvent.php" name="form1" method="POST">
<input type="Hidden" name="eventid" value="<?php echo $_GET["id"]; ?>"> <input type="Hidden" name="eventid" value="<?php echo $_GET["id"]; ?>">
<p><?php printMLText("confirm_rm_event", array ("name" => $event["name"]));?></p> <p><?php printMLText("confirm_rm_event", array ("name" => htmlspecialchars($event["name"])));?></p>
<input type="Submit" value="<?php printMLText("delete");?>"> <input type="Submit" value="<?php printMLText("delete");?>">
</form> </form>
<?php <?php

2
out/out.RemoveFolder.php
View File

@ -56,7 +56,7 @@ UI::contentContainerStart();
<input type="Hidden" name="folderid" value="<?php print $folderid;?>"> <input type="Hidden" name="folderid" value="<?php print $folderid;?>">
<input type="Hidden" name="showtree" value="<?php echo showtree();?>"> <input type="Hidden" name="showtree" value="<?php echo showtree();?>">
<p> <p>
<?php printMLText("confirm_rm_folder", array ("foldername" => $folder->getName()));?> <?php printMLText("confirm_rm_folder", array ("foldername" => htmlspecialchars($folder->getName())));?>
</p> </p>
<p><input type="Submit" value="<?php printMLText("rm_folder");?>"></p> <p><input type="Submit" value="<?php printMLText("rm_folder");?>"></p>
</form> </form>

2
out/out.RemoveFolderFiles.php
View File

@ -47,7 +47,7 @@ UI::contentContainerStart();
?> ?>
<form action="../op/op.RemoveFolderFiles.php" name="form1" method="POST"> <form action="../op/op.RemoveFolderFiles.php" name="form1" method="POST">
<input type="Hidden" name="folderid" value="<?php echo $folderid?>"> <input type="Hidden" name="folderid" value="<?php echo $folderid?>">
<p><?php printMLText("confirm_rm_folder_files", array ("foldername" => $folder->getName()));?></p> <p><?php printMLText("confirm_rm_folder_files", array ("foldername" => htmlspecialchars($folder->getName())));?></p>
<input type="Submit" value="<?php printMLText("accept");?>"> <input type="Submit" value="<?php printMLText("accept");?>">
</form> </form>
<?php <?php

2
out/out.RemoveGroup.php
View File

@ -49,7 +49,7 @@ UI::contentContainerStart();
<input type="Hidden" name="groupid" value="<?php print $groupid;?>"> <input type="Hidden" name="groupid" value="<?php print $groupid;?>">
<input type="Hidden" name="action" value="removegroup"> <input type="Hidden" name="action" value="removegroup">
<p> <p>
<?php printMLText("confirm_rm_group", array ("groupname" => $currGroup->getName()));?> <?php printMLText("confirm_rm_group", array ("groupname" => htmlspecialchars($currGroup->getName())));?>
</p> </p>
<p><input type="Submit" value="<?php printMLText("rm_group");?>"></p> <p><input type="Submit" value="<?php printMLText("rm_group");?>"></p>
</form> </form>

4
out/out.RemoveUser.php
View File

@ -54,7 +54,7 @@ UI::contentContainerStart();
<input type="Hidden" name="userid" value="<?php print $userid;?>"> <input type="Hidden" name="userid" value="<?php print $userid;?>">
<input type="Hidden" name="action" value="removeuser"> <input type="Hidden" name="action" value="removeuser">
<p> <p>
<?php printMLText("confirm_rm_user", array ("username" => $currUser->getFullName()));?> <?php printMLText("confirm_rm_user", array ("username" => htmlspecialchars($currUser->getFullName())));?>
</p> </p>
<p> <p>
@ -67,7 +67,7 @@ UI::contentContainerStart();
continue; continue;
if (isset($_GET["userid"]) && $currUser->getID()==$_GET["userid"]) $selected=$count; if (isset($_GET["userid"]) && $currUser->getID()==$_GET["userid"]) $selected=$count;
print "<option value=\"".$currUser->getID()."\">" . $currUser->getLogin(); print "<option value=\"".$currUser->getID()."\">" . htmlspecialchars($currUser->getLogin());
} }
?> ?>
</select> </select>

4
out/out.RemoveVersion.php
View File

@ -37,7 +37,7 @@ if (!is_object($document)) {
} }
$folder = $document->getFolder(); $folder = $document->getFolder();
$docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>"; $docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".htmlspecialchars($document->getName())."</a>";
if ($document->getAccessMode($user) < M_ALL) { if ($document->getAccessMode($user) < M_ALL) {
UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied")); UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
@ -64,7 +64,7 @@ UI::contentContainerStart();
<form action="../op/op.RemoveVersion.php" name="form1" method="POST"> <form action="../op/op.RemoveVersion.php" name="form1" method="POST">
<input type="Hidden" name="documentid" value="<?php echo $documentid?>"> <input type="Hidden" name="documentid" value="<?php echo $documentid?>">
<input type="Hidden" name="version" value="<?php echo $version->getVersion()?>"> <input type="Hidden" name="version" value="<?php echo $version->getVersion()?>">
<p><?php printMLText("confirm_rm_version", array ("documentname" => $document->getName(), "version" => $version->getVersion()));?></p> <p><?php printMLText("confirm_rm_version", array ("documentname" => htmlspecialchars($document->getName()), "version" => $version->getVersion()));?></p>
<input type="Submit" value="<?php printMLText("rm_version");?>"> <input type="Submit" value="<?php printMLText("rm_version");?>">
</form> </form>
<?php <?php

6
out/out.ReviewDocument.php
View File

@ -37,7 +37,7 @@ if (!is_object($document)) {
} }
$folder = $document->getFolder(); $folder = $document->getFolder();
$docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>"; $docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".htmlspecialchars($document->getName())."</a>";
if ($document->getAccessMode($user) < M_READ) { if ($document->getAccessMode($user) < M_READ) {
UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied")); UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
@ -128,7 +128,7 @@ if ($reviewStatus['type'] == 0) {
print "</td>"; print "</td>";
print "<td>".$reviewStatus["comment"]."</td>"; print "<td>".$reviewStatus["comment"]."</td>";
$indUser = $dms->getUser($reviewStatus["userID"]); $indUser = $dms->getUser($reviewStatus["userID"]);
print "<td>".$reviewStatus["date"]." - ". $indUser->getFullname() ."</td>"; print "<td>".$reviewStatus["date"]." - ". htmlspecialchars($indUser->getFullname()) ."</td>";
print "</tr></tbody></table><br>"; print "</tr></tbody></table><br>";
} }
?> ?>
@ -166,7 +166,7 @@ else if ($reviewStatus['type'] == 1) {
print "</td>"; print "</td>";
print "<td>".$reviewStatus["comment"]."</td>"; print "<td>".$reviewStatus["comment"]."</td>";
$indUser = $dms->getUser($reviewStatus["userID"]); $indUser = $dms->getUser($reviewStatus["userID"]);
print "<td>".$reviewStatus["date"]." - ". $indUser->getFullname() ."</td>"; print "<td>".$reviewStatus["date"]." - ". htmlspecialchars($indUser->getFullname()) ."</td>";
print "</tr></tbody></table><br>\n"; print "</tr></tbody></table><br>\n";
} }

8
out/out.ReviewSummary.php
View File

@ -124,8 +124,8 @@ foreach ($reviewStatus["indstatus"] as $st) {
} }
print "<tr>\n"; print "<tr>\n";
print "<td><a href=\"out.DocumentVersionDetail.php?documentid=".$st["documentID"]."&version=".$st["version"]."\">".$docIdx[$st["documentID"]][$st["version"]]["name"]."</a></td>"; print "<td><a href=\"out.DocumentVersionDetail.php?documentid=".$st["documentID"]."&version=".$st["version"]."\">".htmlspecialchars($docIdx[$st["documentID"]][$st["version"]]["name"])."</a></td>";
print "<td>".$docIdx[$st["documentID"]][$st["version"]]["ownerName"]."</td>"; print "<td>".htmlspecialchars($docIdx[$st["documentID"]][$st["version"]]["ownerName"])."</td>";
print "<td>".getOverallStatusText($docIdx[$st["documentID"]][$st["version"]]["status"])."</td>"; print "<td>".getOverallStatusText($docIdx[$st["documentID"]][$st["version"]]["status"])."</td>";
print "<td>".$st["version"]."</td>"; print "<td>".$st["version"]."</td>";
print "<td>".$st["date"]." ". $docIdx[$st["documentID"]][$st["version"]]["statusName"] ."</td>"; print "<td>".$st["date"]." ". $docIdx[$st["documentID"]][$st["version"]]["statusName"] ."</td>";
@ -164,8 +164,8 @@ foreach ($reviewStatus["grpstatus"] as $st) {
} }
print "<tr>\n"; print "<tr>\n";
print "<td><a href=\"out.DocumentVersionDetail.php?documentid=".$st["documentID"]."&version=".$st["version"]."\">".$docIdx[$st["documentID"]][$st["version"]]["name"]."</a></td>"; print "<td><a href=\"out.DocumentVersionDetail.php?documentid=".$st["documentID"]."&version=".$st["version"]."\">".htmlspecialchars($docIdx[$st["documentID"]][$st["version"]]["name"])."</a></td>";
print "<td>".$docIdx[$st["documentID"]][$st["version"]]["ownerName"]."</td>"; print "<td>".htmlspecialchars($docIdx[$st["documentID"]][$st["version"]]["ownerName"])."</td>";
print "<td>".getOverallStatusText($docIdx[$st["documentID"]][$st["version"]]["status"])."</td>"; print "<td>".getOverallStatusText($docIdx[$st["documentID"]][$st["version"]]["status"])."</td>";
print "<td>".$st["version"]."</td>"; print "<td>".$st["version"]."</td>";
print "<td>".$st["date"]." ". $docIdx[$st["documentID"]][$st["version"]]["statusName"] ."</td>"; print "<td>".$st["date"]." ". $docIdx[$st["documentID"]][$st["version"]]["statusName"] ."</td>";

8
out/out.SearchForm.php
View File

@ -114,7 +114,7 @@ function chooseKeywords(target) {
<?php <?php
$allCats = $dms->getDocumentCategories(); $allCats = $dms->getDocumentCategories();
foreach ($allCats as $catObj) { foreach ($allCats as $catObj) {
print "<option value=\"".$catObj->getID()."\">" . $catObj->getName() . "\n"; print "<option value=\"".$catObj->getID()."\">" . htmlspecialchars($catObj->getName()) . "\n";
} }
?> ?>
</select> </select>
@ -144,7 +144,7 @@ foreach ($allUsers as $userObj)
{ {
if ($userObj->isGuest()) if ($userObj->isGuest())
continue; continue;
print "<option value=\"".$userObj->getID()."\">" . $userObj->getFullName() . "\n"; print "<option value=\"".$userObj->getID()."\">" . htmlspecialchars($userObj->getFullName()) . "\n";
} }
?> ?>
</select> </select>
@ -220,7 +220,7 @@ echo "</td>\n</tr>\n";
<?php <?php
$allCats = $dms->getDocumentCategories(); $allCats = $dms->getDocumentCategories();
foreach ($allCats as $catObj) { foreach ($allCats as $catObj) {
print "<option value=\"".$catObj->getID()."\">" . $catObj->getName() . "\n"; print "<option value=\"".$catObj->getID()."\">" . htmlspecialchars($catObj->getName()) . "\n";
} }
?> ?>
</select> </select>
@ -237,7 +237,7 @@ foreach ($allUsers as $userObj)
{ {
if ($userObj->isGuest()) if ($userObj->isGuest())
continue; continue;
print "<option value=\"".$userObj->getID()."\">" . $userObj->getFullName() . "\n"; print "<option value=\"".$userObj->getID()."\">" . htmlspecialchars($userObj->getFullName()) . "\n";
} }
?> ?>
</select> </select>

2
out/out.SetExpires.php
View File

@ -36,7 +36,7 @@ if (!is_object($document)) {
} }
$folder = $document->getFolder(); $folder = $document->getFolder();
$docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>"; $docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".htmlspecialchars($document->getName())."</a>";
if ($document->getAccessMode($user) < M_READWRITE) { if ($document->getAccessMode($user) < M_READWRITE) {
UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied")); UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));

42
out/out.SetReviewersApprovers.php
View File

@ -36,7 +36,7 @@ if (!is_object($document)) {
} }
$folder = $document->getFolder(); $folder = $document->getFolder();
$docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>"; $docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".htmlspecialchars($document->getName())."</a>";
if ($document->getAccessMode($user) < M_ALL) { if ($document->getAccessMode($user) < M_ALL) {
UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied")); UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
@ -115,25 +115,25 @@ foreach ($docAccess["users"] as $usr) {
if ($mandatory){ if ($mandatory){
print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>". $usr->getFullName()." &lt;".$usr->getEmail()."&gt;"; print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>". htmlspecialchars($usr->getFullName())." &lt;".$usr->getEmail()."&gt;";
print "<input id='revInd".$usr->getID()."' type='hidden' name='indReviewers[]' value='". $usr->getID() ."'>"; print "<input id='revInd".$usr->getID()."' type='hidden' name='indReviewers[]' value='". $usr->getID() ."'>";
}else if (isset($reviewIndex["i"][$usr->getID()])) { }else if (isset($reviewIndex["i"][$usr->getID()])) {
switch ($reviewIndex["i"][$usr->getID()]["status"]) { switch ($reviewIndex["i"][$usr->getID()]["status"]) {
case 0: case 0:
print "<li class=\"cbSelectItem\"><input id='revInd".$usr->getID()."' type='checkbox' name='indReviewers[]' value='". $usr->getID() ."' checked='checked'>".$usr->getFullName(); print "<li class=\"cbSelectItem\"><input id='revInd".$usr->getID()."' type='checkbox' name='indReviewers[]' value='". $usr->getID() ."' checked='checked'>".htmlspecialchars($usr->getFullName());
break; break;
case -2: case -2:
print "<li class=\"cbSelectItem\"><input id='revInd".$usr->getID()."' type='checkbox' name='indReviewers[]' value='". $usr->getID() ."'>".$usr->getFullName(); print "<li class=\"cbSelectItem\"><input id='revInd".$usr->getID()."' type='checkbox' name='indReviewers[]' value='". $usr->getID() ."'>".htmlspecialchars($usr->getFullName());
break; break;
default: default:
print "<li class=\"cbSelectItem\"><input id='revInd".$usr->getID()."' type='checkbox' name='indReviewers[]' value='". $usr->getID() ."' disabled='disabled'>".$usr->getFullName(); print "<li class=\"cbSelectItem\"><input id='revInd".$usr->getID()."' type='checkbox' name='indReviewers[]' value='". $usr->getID() ."' disabled='disabled'>".htmlspecialchars($usr->getFullName());
break; break;
} }
} }
else { else {
print "<li class=\"cbSelectItem\"><input id='revInd".$usr->getID()."' type='checkbox' name='indReviewers[]' value='". $usr->getID() ."'>". $usr->getFullName(); print "<li class=\"cbSelectItem\"><input id='revInd".$usr->getID()."' type='checkbox' name='indReviewers[]' value='". $usr->getID() ."'>". htmlspecialchars($usr->getFullName());
} }
} }
?> ?>
@ -150,25 +150,25 @@ foreach ($docAccess["groups"] as $group) {
if ($mandatory){ if ($mandatory){
print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>".$group->getName(); print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>".htmlspecialchars($group->getName());
print "<input id='revGrp".$group->getID()."' type='hidden' name='grpReviewers[]' value='". $group->getID() ."'>"; print "<input id='revGrp".$group->getID()."' type='hidden' name='grpReviewers[]' value='". $group->getID() ."'>";
}else if (isset($reviewIndex["g"][$group->getID()])) { }else if (isset($reviewIndex["g"][$group->getID()])) {
switch ($reviewIndex["g"][$group->getID()]["status"]) { switch ($reviewIndex["g"][$group->getID()]["status"]) {
case 0: case 0:
print "<li class=\"cbSelectItem\"><input id='revGrp".$group->getID()."' type='checkbox' name='grpReviewers[]' value='". $group->getID() ."' checked='checked'>".$group->getName(); print "<li class=\"cbSelectItem\"><input id='revGrp".$group->getID()."' type='checkbox' name='grpReviewers[]' value='". $group->getID() ."' checked='checked'>".htmlspecialchars($group->getName());
break; break;
case -2: case -2:
print "<li class=\"cbSelectItem\"><input id='revGrp".$group->getID()."' type='checkbox' name='grpReviewers[]' value='". $group->getID() ."'>".$group->getName(); print "<li class=\"cbSelectItem\"><input id='revGrp".$group->getID()."' type='checkbox' name='grpReviewers[]' value='". $group->getID() ."'>".htmlspecialchars($group->getName());
break; break;
default: default:
print "<li class=\"cbSelectItem\"><input id='revGrp".$group->getID()."' type='checkbox' name='grpReviewers[]' value='". $group->getID() ."' disabled='disabled'>".$group->getName(); print "<li class=\"cbSelectItem\"><input id='revGrp".$group->getID()."' type='checkbox' name='grpReviewers[]' value='". $group->getID() ."' disabled='disabled'>".htmlspecialchars($group->getName());
break; break;
} }
} }
else { else {
print "<li class=\"cbSelectItem\"><input id='revGrp".$group->getID()."' type='checkbox' name='grpReviewers[]' value='". $group->getID() ."'>".$group->getName(); print "<li class=\"cbSelectItem\"><input id='revGrp".$group->getID()."' type='checkbox' name='grpReviewers[]' value='". $group->getID() ."'>".htmlspecialchars($group->getName());
} }
} }
?> ?>
@ -191,25 +191,25 @@ foreach ($docAccess["users"] as $usr) {
if ($mandatory){ if ($mandatory){
print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>". $usr->getFullName()." &lt;".$usr->getEmail()."&gt;"; print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>". htmlspecialchars($usr->getFullName())." &lt;".$usr->getEmail()."&gt;";
print "<input id='appInd".$usr->getID()."' type='hidden' name='indApprovers[]' value='". $usr->getID() ."'>"; print "<input id='appInd".$usr->getID()."' type='hidden' name='indApprovers[]' value='". $usr->getID() ."'>";
}else if (isset($approvalIndex["i"][$usr->getID()])) { }else if (isset($approvalIndex["i"][$usr->getID()])) {
switch ($approvalIndex["i"][$usr->getID()]["status"]) { switch ($approvalIndex["i"][$usr->getID()]["status"]) {
case 0: case 0:
print "<li class=\"cbSelectItem\"><input id='appInd".$usr->getID()."' type='checkbox' name='indApprovers[]' value='". $usr->getID() ."' checked='checked'>".$usr->getFullName(); print "<li class=\"cbSelectItem\"><input id='appInd".$usr->getID()."' type='checkbox' name='indApprovers[]' value='". $usr->getID() ."' checked='checked'>".htmlspecialchars($usr->getFullName());
break; break;
case -2: case -2:
print "<li class=\"cbSelectItem\"><input id='appInd".$usr->getID()."' type='checkbox' name='indApprovers[]' value='". $usr->getID() ."'>".$usr->getFullName(); print "<li class=\"cbSelectItem\"><input id='appInd".$usr->getID()."' type='checkbox' name='indApprovers[]' value='". $usr->getID() ."'>".htmlspecialchars($usr->getFullName());
break; break;
default: default:
print "<li class=\"cbSelectItem\"><input id='appInd".$usr->getID()."' type='checkbox' name='indApprovers[]' value='". $usr->getID() ."' disabled='disabled'>".$usr->getFullName(); print "<li class=\"cbSelectItem\"><input id='appInd".$usr->getID()."' type='checkbox' name='indApprovers[]' value='". $usr->getID() ."' disabled='disabled'>".htmlspecialchars($usr->getFullName());
break; break;
} }
} }
else { else {
print "<li class=\"cbSelectItem\"><input id='appInd".$usr->getID()."' type='checkbox' name='indApprovers[]' value='". $usr->getID() ."'>". $usr->getFullName(); print "<li class=\"cbSelectItem\"><input id='appInd".$usr->getID()."' type='checkbox' name='indApprovers[]' value='". $usr->getID() ."'>". htmlspecialchars($usr->getFullName());
} }
} }
?> ?>
@ -226,25 +226,25 @@ foreach ($docAccess["groups"] as $group) {
if ($mandatory){ if ($mandatory){
print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>".$group->getName(); print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>".htmlspecialchars($group->getName());
print "<input id='appGrp".$group->getID()."' type='hidden' name='grpApprovers[]' value='". $group->getID() ."'>"; print "<input id='appGrp".$group->getID()."' type='hidden' name='grpApprovers[]' value='". $group->getID() ."'>";
}else if (isset($approvalIndex["g"][$group->getID()])) { }else if (isset($approvalIndex["g"][$group->getID()])) {
switch ($approvalIndex["g"][$group->getID()]["status"]) { switch ($approvalIndex["g"][$group->getID()]["status"]) {
case 0: case 0:
print "<li class=\"cbSelectItem\"><input id='appGrp".$group->getID()."' type='checkbox' name='grpApprovers[]' value='". $group->getID() ."' checked='checked'>".$group->getName(); print "<li class=\"cbSelectItem\"><input id='appGrp".$group->getID()."' type='checkbox' name='grpApprovers[]' value='". $group->getID() ."' checked='checked'>".htmlspecialchars($group->getName());
break; break;
case -2: case -2:
print "<li class=\"cbSelectItem\"><input id='appGrp".$group->getID()."' type='checkbox' name='grpApprovers[]' value='". $group->getID() ."'>".$group->getName(); print "<li class=\"cbSelectItem\"><input id='appGrp".$group->getID()."' type='checkbox' name='grpApprovers[]' value='". $group->getID() ."'>".htmlspecialchars($group->getName());
break; break;
default: default:
print "<li class=\"cbSelectItem\"><input id='appGrp".$group->getID()."' type='checkbox' name='grpApprovers[]' value='". $group->getID() ."' disabled='disabled'>".$group->getName(); print "<li class=\"cbSelectItem\"><input id='appGrp".$group->getID()."' type='checkbox' name='grpApprovers[]' value='". $group->getID() ."' disabled='disabled'>".htmlspecialchars($group->getName());
break; break;
} }
} }
else { else {
print "<li class=\"cbSelectItem\"><input id='appGrp".$group->getID()."' type='checkbox' name='grpApprovers[]' value='". $group->getID() ."'>".$group->getName(); print "<li class=\"cbSelectItem\"><input id='appGrp".$group->getID()."' type='checkbox' name='grpApprovers[]' value='". $group->getID() ."'>".htmlspecialchars($group->getName());
} }
} }
?> ?>

12
out/out.Statistic.php
View File

@ -87,11 +87,11 @@ function printFolder($folder) {
$color = $folder->inheritsAccess() ? "black" : getAccessColor($folder->getDefaultAccess()); $color = $folder->inheritsAccess() ? "black" : getAccessColor($folder->getDefaultAccess());
print "<li class=\"folderClass\">"; print "<li class=\"folderClass\">";
print "<a style=\"color: $color\" href=\"out.ViewFolder.php?folderid=".$folder->getID()."\">".$folder->getName() ."</a>"; print "<a style=\"color: $color\" href=\"out.ViewFolder.php?folderid=".$folder->getID()."\">".htmlspecialchars($folder->getName()) ."</a>";
$owner = $folder->getOwner(); $owner = $folder->getOwner();
$color = getAccessColor(M_ALL); $color = getAccessColor(M_ALL);
print " [<span style=\"color: $color\">".$owner->getFullName()."</span>] "; print " [<span style=\"color: $color\">".htmlspecialchars($owner->getFullName())."</span>] ";
if (! $folder->inheritsAccess()) if (! $folder->inheritsAccess())
printAccessList($folder); printAccessList($folder);
@ -140,11 +140,11 @@ function printDocument($document) {
$color = $document->inheritsAccess() ? "black" : getAccessColor($document->getDefaultAccess()); $color = $document->inheritsAccess() ? "black" : getAccessColor($document->getDefaultAccess());
print "<li class=\"documentClass\">"; print "<li class=\"documentClass\">";
print "<a style=\"color: $color\" href=\"out.ViewDocument.php?documentid=".$document->getID()."\">".$document->getName()."</a>"; print "<a style=\"color: $color\" href=\"out.ViewDocument.php?documentid=".$document->getID()."\">".htmlspecialchars($document->getName())."</a>";
$owner = $document->getOwner(); $owner = $document->getOwner();
$color = getAccessColor(M_ALL); $color = getAccessColor(M_ALL);
print " [<span style=\"color: $color\">".$owner->getFullName()."</span>] "; print " [<span style=\"color: $color\">".htmlspecialchars($owner->getFullName())."</span>] ";
if (! $document->inheritsAccess()) printAccessList($document); if (! $document->inheritsAccess()) printAccessList($document);
@ -167,7 +167,7 @@ function printAccessList($obj) {
{ {
$group = $accessList["groups"][$i]->getGroup(); $group = $accessList["groups"][$i]->getGroup();
$color = getAccessColor($accessList["groups"][$i]->getMode()); $color = getAccessColor($accessList["groups"][$i]->getMode());
print "<span style=\"color: $color\">".$group->getName()."</span>"; print "<span style=\"color: $color\">".htmlspecialchars($group->getName())."</span>";
if ($i+1 < count($accessList["groups"]) || count($accessList["users"]) > 0) if ($i+1 < count($accessList["groups"]) || count($accessList["users"]) > 0)
print ", "; print ", ";
} }
@ -175,7 +175,7 @@ function printAccessList($obj) {
{ {
$user = $accessList["users"][$i]->getUser(); $user = $accessList["users"][$i]->getUser();
$color = getAccessColor($accessList["users"][$i]->getMode()); $color = getAccessColor($accessList["users"][$i]->getMode());
print "<span style=\"color: $color\">".$user->getFullName()."</span>"; print "<span style=\"color: $color\">".htmlspecialchars($user->getFullName())."</span>";
if ($i+1 < count($accessList["users"])) if ($i+1 < count($accessList["users"]))
print ", "; print ", ";
} }

22
out/out.UpdateDocument.php
View File

@ -36,7 +36,7 @@ if (!is_object($document)) {
} }
$folder = $document->getFolder(); $folder = $document->getFolder();
$docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>"; $docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".htmlspecialchars($document->getName())."</a>";
if ($document->getAccessMode($user) < M_READWRITE) { if ($document->getAccessMode($user) < M_READWRITE) {
UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied")); UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
@ -71,7 +71,7 @@ function checkForm()
</script> </script>
<?php <?php
UI::contentHeading(getMLText("update_document") . ": " . $document->getName()); UI::contentHeading(getMLText("update_document"));
UI::contentContainerStart(); UI::contentContainerStart();
if ($document->isLocked()) { if ($document->isLocked()) {
@ -80,7 +80,7 @@ if ($document->isLocked()) {
print "<table><tr><td class=\"warning\">"; print "<table><tr><td class=\"warning\">";
printMLText("update_locked_msg", array("username" => $lockingUser->getFullName(), "email" => $lockingUser->getEmail())); printMLText("update_locked_msg", array("username" => htmlspecialchars($lockingUser->getFullName()), "email" => $lockingUser->getEmail()));
if ($lockingUser->getID() == $user->getID()) if ($lockingUser->getID() == $user->getID())
printMLText("unlock_cause_locking_user"); printMLText("unlock_cause_locking_user");
@ -158,8 +158,8 @@ $docAccess = $document->getApproversList();
$mandatory=false; $mandatory=false;
foreach ($res as $r) if ($r['reviewerUserID']==$usr->getID()) $mandatory=true; foreach ($res as $r) if ($r['reviewerUserID']==$usr->getID()) $mandatory=true;
if ($mandatory) print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>". $usr->getFullName(); if ($mandatory) print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>". htmlspecialchars($usr->getFullName());
else print "<li class=\"cbSelectItem\"><input id='revInd".$usr->getID()."' type='checkbox' name='indReviewers[]' value='". $usr->getID() ."'>". $usr->getFullName(); else print "<li class=\"cbSelectItem\"><input id='revInd".$usr->getID()."' type='checkbox' name='indReviewers[]' value='". $usr->getID() ."'>". htmlspecialchars($usr->getFullName());
} }
?> ?>
</ul> </ul>
@ -173,8 +173,8 @@ $docAccess = $document->getApproversList();
$mandatory=false; $mandatory=false;
foreach ($res as $r) if ($r['reviewerGroupID']==$grp->getID()) $mandatory=true; foreach ($res as $r) if ($r['reviewerGroupID']==$grp->getID()) $mandatory=true;
if ($mandatory) print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>".$grp->getName(); if ($mandatory) print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>".htmlspecialchars($grp->getName());
else print "<li class=\"cbSelectItem\"><input id='revGrp".$grp->getID()."' type='checkbox' name='grpReviewers[]' value='". $grp->getID() ."'>".$grp->getName(); else print "<li class=\"cbSelectItem\"><input id='revGrp".$grp->getID()."' type='checkbox' name='grpReviewers[]' value='". $grp->getID() ."'>".htmlspecialchars($grp->getName());
} }
?> ?>
</ul> </ul>
@ -195,8 +195,8 @@ $docAccess = $document->getApproversList();
$mandatory=false; $mandatory=false;
foreach ($res as $r) if ($r['approverUserID']==$usr->getID()) $mandatory=true; foreach ($res as $r) if ($r['approverUserID']==$usr->getID()) $mandatory=true;
if ($mandatory) print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>". $usr->getFullName(); if ($mandatory) print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>". htmlspecialchars($usr->getFullName());
else print "<li class=\"cbSelectItem\"><input id='appInd".$usr->getID()."' type='checkbox' name='indApprovers[]' value='". $usr->getID() ."'>". $usr->getFullName(); else print "<li class=\"cbSelectItem\"><input id='appInd".$usr->getID()."' type='checkbox' name='indApprovers[]' value='". $usr->getID() ."'>". htmlspecialchars($usr->getFullName());
} }
?> ?>
</ul> </ul>
@ -210,8 +210,8 @@ $docAccess = $document->getApproversList();
$mandatory=false; $mandatory=false;
foreach ($res as $r) if ($r['approverGroupID']==$grp->getID()) $mandatory=true; foreach ($res as $r) if ($r['approverGroupID']==$grp->getID()) $mandatory=true;
if ($mandatory) print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>".$grp->getName(); if ($mandatory) print "<li class=\"cbSelectItem\"><input type='checkbox' checked='checked' disabled='disabled'>".htmlspecialchars($grp->getName());
else print "<li class=\"cbSelectItem\"><input id='appGrp".$grp->getID()."' type='checkbox' name='grpApprovers[]' value='". $grp->getID() ."'>".$grp->getName(); else print "<li class=\"cbSelectItem\"><input id='appGrp".$grp->getID()."' type='checkbox' name='grpApprovers[]' value='". $grp->getID() ."'>".htmlspecialchars($grp->getName());
} }
?> ?>

4
out/out.UpdateDocument2.php
View File

@ -41,7 +41,7 @@ if (!is_object($document)) {
} }
$folder = $document->getFolder(); $folder = $document->getFolder();
$docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>"; $docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".htmlspecialchars($document->getName())."</a>";
if ($document->getAccessMode($user) < M_READWRITE) { if ($document->getAccessMode($user) < M_READWRITE) {
UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied")); UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
@ -60,7 +60,7 @@ if ($document->isLocked()) {
print "<table><tr><td class=\"warning\">"; print "<table><tr><td class=\"warning\">";
printMLText("update_locked_msg", array("username" => $lockingUser->getFullName(), "email" => $lockingUser->getEmail())); printMLText("update_locked_msg", array("username" => htmlspecialchars($lockingUser->getFullName()), "email" => htmlspecialchars($lockingUser->getEmail())));
if ($lockingUser->getID() == $user->getID()) if ($lockingUser->getID() == $user->getID())
printMLText("unlock_cause_locking_user"); printMLText("unlock_cause_locking_user");

6
out/out.UserDefaultKeywords.php
View File

@ -68,7 +68,7 @@ UI::contentContainerStart();
if ($owner->getID() != $user->getID()) continue; if ($owner->getID() != $user->getID()) continue;
if (isset($_GET["categoryid"]) && $category->getID()==$_GET["categoryid"]) $selected=$count; if (isset($_GET["categoryid"]) && $category->getID()==$_GET["categoryid"]) $selected=$count;
print "<option value=\"".$category->getID()."\">" . $category->getName(); print "<option value=\"".$category->getID()."\">" . htmlspecialchars($category->getName());
$count++; $count++;
} }
?> ?>
@ -109,7 +109,7 @@ UI::contentContainerStart();
<form action="../op/op.UserDefaultKeywords.php" method="post" name="<?php echo "category".$category->getID()?>"> <form action="../op/op.UserDefaultKeywords.php" method="post" name="<?php echo "category".$category->getID()?>">
<input type="Hidden" name="action" value="editcategory"> <input type="Hidden" name="action" value="editcategory">
<input type="Hidden" name="categoryid" value="<?php echo $category->getID()?>"> <input type="Hidden" name="categoryid" value="<?php echo $category->getID()?>">
<input name="name" value="<?php echo $category->getName()?>"> <input name="name" value="<?php echo htmlspecialchars($category->getName())?>">
<input type="Submit" value="<?php printMLText("save");?>"> <input type="Submit" value="<?php printMLText("save");?>">
</form> </form>
</td> </td>
@ -133,7 +133,7 @@ UI::contentContainerStart();
<input type="Hidden" name="categoryid" value="<?php echo $category->getID()?>"> <input type="Hidden" name="categoryid" value="<?php echo $category->getID()?>">
<input type="Hidden" name="keywordsid" value="<?php echo $list["id"]?>"> <input type="Hidden" name="keywordsid" value="<?php echo $list["id"]?>">
<input type="Hidden" name="action" value="editkeywords"> <input type="Hidden" name="action" value="editkeywords">
<input name="keywords" value="<?php echo $list["keywords"]?>"> <input name="keywords" value="<?php echo htmlspecialchars($list["keywords"]) ?>">
<input name="action" value="editkeywords" type="Image" src="images/save.gif" title="<?php echo getMLText("save")?>" border="0"> <input name="action" value="editkeywords" type="Image" src="images/save.gif" title="<?php echo getMLText("save")?>" border="0">
<!-- <input name="action" value="removekeywords" type="Image" src="images/del.gif" title="<?php echo getMLText("delete")?>" border="0"> &nbsp; --> <!-- <input name="action" value="removekeywords" type="Image" src="images/del.gif" title="<?php echo getMLText("delete")?>" border="0"> &nbsp; -->
<a href="../op/op.UserDefaultKeywords.php?categoryid=<?php echo $category->getID()?>&keywordsid=<?php echo $list["id"]?>&action=removekeywords"><img src="images/del.gif" title="<?php echo getMLText("delete")?>" border=0></a> <a href="../op/op.UserDefaultKeywords.php?categoryid=<?php echo $category->getID()?>&keywordsid=<?php echo $list["id"]?>&action=removekeywords"><img src="images/del.gif" title="<?php echo getMLText("delete")?>" border=0></a>

12
out/out.UsrMgr.php
View File

@ -176,7 +176,7 @@ UI::contentContainerStart();
<?php <?php
foreach ($groups as $grp) { foreach ($groups as $grp) {
print "<li class=\"cbSelectItem\"><input id='revGrp".$grp->getID()."' type='checkbox' name='grpReviewers[]' value='". $grp->getID() ."'>".$grp->getName(); print "<li class=\"cbSelectItem\"><input id='revGrp".$grp->getID()."' type='checkbox' name='grpReviewers[]' value='". $grp->getID() ."'>".htmlspecialchars($grp->getName());
} }
?> ?>
</ul> </ul>
@ -206,7 +206,7 @@ UI::contentContainerStart();
<?php <?php
foreach ($groups as $grp) { foreach ($groups as $grp) {
print "<li class=\"cbSelectItem\"><input id='revGrp".$grp->getID()."' type='checkbox' name='grpApprovers[]' value='". $grp->getID() ."'>".$grp->getName(); print "<li class=\"cbSelectItem\"><input id='revGrp".$grp->getID()."' type='checkbox' name='grpApprovers[]' value='". $grp->getID() ."'>".htmlspecialchars($grp->getName());
} }
?> ?>
</ul> </ul>
@ -252,7 +252,7 @@ UI::contentContainerStart();
</tr> </tr>
<tr> <tr>
<td><?php printMLText("user_name");?>:</td> <td><?php printMLText("user_name");?>:</td>
<td><input name="name" value="<?php print $currUser->getFullName();?>"></td> <td><input name="name" value="<?php print htmlspecialchars($currUser->getFullName());?>"></td>
</tr> </tr>
<tr> <tr>
<td><?php printMLText("email");?>:</td> <td><?php printMLText("email");?>:</td>
@ -260,7 +260,7 @@ UI::contentContainerStart();
</tr> </tr>
<tr> <tr>
<td><?php printMLText("comment");?>:</td> <td><?php printMLText("comment");?>:</td>
<td><textarea name="comment" rows="4" cols="50"><?php print $currUser->getComment();?></textarea></td> <td><textarea name="comment" rows="4" cols="50"><?php print htmlspecialchars($currUser->getComment());?></textarea></td>
</tr> </tr>
<tr> <tr>
<td><?php printMLText("role");?>:</td> <td><?php printMLText("role");?>:</td>
@ -324,7 +324,7 @@ UI::contentContainerStart();
$checked=false; $checked=false;
foreach ($res as $r) if ($r['reviewerGroupID']==$grp->getID()) $checked=true; foreach ($res as $r) if ($r['reviewerGroupID']==$grp->getID()) $checked=true;
print "<li class=\"cbSelectItem\"><input id='revGrp".$grp->getID()."' type='checkbox' ".($checked?"checked='checked' ":"")."name='grpReviewers[]' value='". $grp->getID() ."'>".$grp->getName()."</li>\n"; print "<li class=\"cbSelectItem\"><input id='revGrp".$grp->getID()."' type='checkbox' ".($checked?"checked='checked' ":"")."name='grpReviewers[]' value='". $grp->getID() ."'>".htmlspecialchars($grp->getName())."</li>\n";
} }
?> ?>
</ul> </ul>
@ -364,7 +364,7 @@ UI::contentContainerStart();
$checked=false; $checked=false;
foreach ($res as $r) if ($r['approverGroupID']==$grp->getID()) $checked=true; foreach ($res as $r) if ($r['approverGroupID']==$grp->getID()) $checked=true;
print "<li class=\"cbSelectItem\"><input id='revGrp".$grp->getID()."' type='checkbox' ".($checked?"checked='checked' ":"")."name='grpApprovers[]' value='". $grp->getID() ."'>".$grp->getName()."</li>\n"; print "<li class=\"cbSelectItem\"><input id='revGrp".$grp->getID()."' type='checkbox' ".($checked?"checked='checked' ":"")."name='grpApprovers[]' value='". $grp->getID() ."'>".htmlspecialchars($grp->getName())."</li>\n";
} }
?> ?>
</ul> </ul>

4
out/out.UsrView.php
View File

@ -60,10 +60,10 @@ foreach ($users as $currUser) {
echo "<tr>\n"; echo "<tr>\n";
print "<td>".$currUser->getFullName()."</td>"; print "<td>".htmlspecialchars($currUser->getFullName())."</td>";
print "<td><a href=\"mailto:".$currUser->getEmail()."\">".$currUser->getEmail()."</a></td>"; print "<td><a href=\"mailto:".$currUser->getEmail()."\">".$currUser->getEmail()."</a></td>";
print "<td>".$currUser->getComment()."</td>"; print "<td>".htmlspecialchars($currUser->getComment())."</td>";
if ($settings->_enableUserImage){ if ($settings->_enableUserImage){
print "<td>"; print "<td>";

47
out/out.ViewDocument.php
View File

@ -48,7 +48,7 @@ if (!is_object($document)) {
} }
$folder = $document->getFolder(); $folder = $document->getFolder();
$docPathHTML = getFolderPathHTML($folder, true). " / ".$document->getName(); $docPathHTML = getFolderPathHTML($folder, true). " / ".htmlspecialchars($document->getName());
if ($document->getAccessMode($user) < M_READ) { if ($document->getAccessMode($user) < M_READ) {
UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied")); UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
@ -80,7 +80,7 @@ if ($document->isLocked()) {
$lockingUser = $document->getLockingUser(); $lockingUser = $document->getLockingUser();
?> ?>
<tr> <tr>
<td class="warning" colspan=2><?php printMLText("lock_message", array("email" => $lockingUser->getEmail(), "username" => $lockingUser->getFullName()));?></td> <td class="warning" colspan=2><?php printMLText("lock_message", array("email" => $lockingUser->getEmail(), "username" => htmlspecialchars($lockingUser->getFullName())));?></td>
</tr> </tr>
<?php <?php
} }
@ -96,7 +96,7 @@ print "<a class=\"infos\" href=\"mailto:".$owner->getEmail()."\">".$owner->getFu
</tr> </tr>
<tr> <tr>
<td><?php printMLText("comment");?>:</td> <td><?php printMLText("comment");?>:</td>
<td><?php print $document->getComment();?></td> <td><?php print htmlspecialchars($document->getComment());?></td>
</tr> </tr>
<tr> <tr>
<td><?php printMLText("creation_date");?>:</td> <td><?php printMLText("creation_date");?>:</td>
@ -104,7 +104,7 @@ print "<a class=\"infos\" href=\"mailto:".$owner->getEmail()."\">".$owner->getFu
</tr> </tr>
<tr> <tr>
<td><?php printMLText("keywords");?>:</td> <td><?php printMLText("keywords");?>:</td>
<td><?php print $document->getKeywords();?></td> <td><?php print htmlspecialchars($document->getKeywords());?></td>
</tr> </tr>
<tr> <tr>
<td><?php printMLText("categories");?>:</td> <td><?php printMLText("categories");?>:</td>
@ -113,7 +113,7 @@ print "<a class=\"infos\" href=\"mailto:".$owner->getEmail()."\">".$owner->getFu
$cats = $document->getCategories(); $cats = $document->getCategories();
$ct = array(); $ct = array();
foreach($cats as $cat) foreach($cats as $cat)
$ct[] = $cat->getName(); $ct[] = htmlspecialchars($cat->getName());
echo implode(', ', $ct); echo implode(', ', $ct);
?> ?>
</td> </td>
@ -153,11 +153,11 @@ if ($file_exists)
else print "<li><span class=\"warning\">".getMLText("document_deleted")."</span></li>"; else print "<li><span class=\"warning\">".getMLText("document_deleted")."</span></li>";
$updatingUser = $latestContent->getUser(); $updatingUser = $latestContent->getUser();
print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".$updatingUser->getEmail()."\">".$updatingUser->getFullName()."</a></li>"; print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".$updatingUser->getEmail()."\">".htmlspecialchars($updatingUser->getFullName())."</a></li>";
print "<li>".getLongReadableDate($latestContent->getDate())."</li>"; print "<li>".getLongReadableDate($latestContent->getDate())."</li>";
print "</ul>\n"; print "</ul>\n";
print "<td>".$latestContent->getComment()."</td>"; print "<td>".htmlspecialchars($latestContent->getComment())."</td>";
print "<td width='10%'>".getOverallStatusText($status["status"]); print "<td width='10%'>".getOverallStatusText($status["status"]);
if ( $status["status"]==S_DRAFT_REV || $status["status"]==S_DRAFT_APP || $status["status"]==S_EXPIRED ){ if ( $status["status"]==S_DRAFT_REV || $status["status"]==S_DRAFT_APP || $status["status"]==S_EXPIRED ){
@ -218,7 +218,7 @@ if (is_array($reviewStatus) && count($reviewStatus)>0) {
$reqName = getMLText("unknown_user")." '".$r["required"]."'"; $reqName = getMLText("unknown_user")." '".$r["required"]."'";
} }
else { else {
$reqName = $required->getFullName(); $reqName = htmlspecialchars($required->getFullName());
} }
if($r["required"] == $user->getId()) if($r["required"] == $user->getId())
$is_reviewer = true; $is_reviewer = true;
@ -229,7 +229,7 @@ if (is_array($reviewStatus) && count($reviewStatus)>0) {
$reqName = getMLText("unknown_group")." '".$r["required"]."'"; $reqName = getMLText("unknown_group")." '".$r["required"]."'";
} }
else { else {
$reqName = "<i>".$required->getName()."</i>"; $reqName = "<i>".htmlspecialchars($required->getName())."</i>";
} }
if($required->isMember($user)) if($required->isMember($user))
$is_reviewer = true; $is_reviewer = true;
@ -239,8 +239,8 @@ if (is_array($reviewStatus) && count($reviewStatus)>0) {
print "<td>".$reqName."</td>\n"; print "<td>".$reqName."</td>\n";
print "<td><ul class=\"documentDetail\"><li>".$r["date"]."</li>"; print "<td><ul class=\"documentDetail\"><li>".$r["date"]."</li>";
$updateUser = $dms->getUser($r["userID"]); $updateUser = $dms->getUser($r["userID"]);
print "<li>".(is_object($updateUser) ? $updateUser->getFullName() : "unknown user id '".$r["userID"]."'")."</li></ul></td>"; print "<li>".(is_object($updateUser) ? htmlspecialchars($updateUser->getFullName()) : "unknown user id '".$r["userID"]."'")."</li></ul></td>";
print "<td>".$r["comment"]."</td>\n"; print "<td>".htmlspecialchars($r["comment"])."</td>\n";
print "<td>".getReviewStatusText($r["status"])."</td>\n"; print "<td>".getReviewStatusText($r["status"])."</td>\n";
print "<td><ul class=\"actions\">"; print "<td><ul class=\"actions\">";
@ -279,7 +279,7 @@ if (is_array($approvalStatus) && count($approvalStatus)>0) {
$reqName = getMLText("unknown_user")." '".$r["required"]."'"; $reqName = getMLText("unknown_user")." '".$r["required"]."'";
} }
else { else {
$reqName = $required->getFullName(); $reqName = htmlspecialchars($required->getFullName());
} }
if($a["required"] == $user->getId()) if($a["required"] == $user->getId())
$is_approver = true; $is_approver = true;
@ -290,7 +290,7 @@ if (is_array($approvalStatus) && count($approvalStatus)>0) {
$reqName = getMLText("unknown_group")." '".$r["required"]."'"; $reqName = getMLText("unknown_group")." '".$r["required"]."'";
} }
else { else {
$reqName = "<i>".$required->getName()."</i>"; $reqName = "<i>".htmlspecialchars($required->getName())."</i>";
} }
if($required->isMember($user)) if($required->isMember($user))
$is_approver = true; $is_approver = true;
@ -300,8 +300,8 @@ if (is_array($approvalStatus) && count($approvalStatus)>0) {
print "<td>".$reqName."</td>\n"; print "<td>".$reqName."</td>\n";
print "<td><ul class=\"documentDetail\"><li>".$a["date"]."</li>"; print "<td><ul class=\"documentDetail\"><li>".$a["date"]."</li>";
$updateUser = $dms->getUser($a["userID"]); $updateUser = $dms->getUser($a["userID"]);
print "<li>".(is_object($updateUser) ? $updateUser->getFullName() : "unknown user id '".$a["userID"]."'")."</li></ul></td>"; print "<li>".(is_object($updateUser) ? htmlspecialchars($updateUser->getFullName()) : "unknown user id '".$a["userID"]."'")."</li></ul></td>";
print "<td>".$a["comment"]."</td>\n"; print "<td>".htmlspecialchars($a["comment"])."</td>\n";
print "<td>".getApprovalStatusText($a["status"])."</td>\n"; print "<td>".getApprovalStatusText($a["status"])."</td>\n";
print "<td><ul class=\"actions\">"; print "<td><ul class=\"actions\">";
@ -338,7 +338,6 @@ if (count($versions)>1) {
for ($i = count($versions)-2; $i >= 0; $i--) { for ($i = count($versions)-2; $i >= 0; $i--) {
$version = $versions[$i]; $version = $versions[$i];
$vstat = $version->getStatus(); $vstat = $version->getStatus();
$comment = $version->getComment();
// verify if file exists // verify if file exists
$file_exists=file_exists($dms->contentDir . $version->getPath()); $file_exists=file_exists($dms->contentDir . $version->getPath());
@ -358,10 +357,10 @@ if (count($versions)>1) {
if ($file_exists) print "<li>". formatted_size(filesize($dms->contentDir . $version->getPath())) ." ".$version->getMimeType()."</li>"; if ($file_exists) print "<li>". formatted_size(filesize($dms->contentDir . $version->getPath())) ." ".$version->getMimeType()."</li>";
else print "<li><span class=\"warning\">".getMLText("document_deleted")."</span></li>"; else print "<li><span class=\"warning\">".getMLText("document_deleted")."</span></li>";
$updatingUser = $version->getUser(); $updatingUser = $version->getUser();
print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".$updatingUser->getEmail()."\">".$updatingUser->getFullName()."</a></li>"; print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".$updatingUser->getEmail()."\">".htmlspecialchars($updatingUser->getFullName())."</a></li>";
print "<li>".getLongReadableDate($version->getDate())."</li>"; print "<li>".getLongReadableDate($version->getDate())."</li>";
print "</ul>\n"; print "</ul>\n";
print "<td>".$version->getComment()."</td>"; print "<td>".htmlspecialchars($version->getComment())."</td>";
print "<td>".getOverallStatusText($vstat["status"])."</td>"; print "<td>".getOverallStatusText($vstat["status"])."</td>";
print "<td>"; print "<td>";
print "<ul class=\"actions\">"; print "<ul class=\"actions\">";
@ -402,7 +401,7 @@ if (count($files) > 0) {
print "<tr>"; print "<tr>";
print "<td><ul class=\"actions\">"; print "<td><ul class=\"actions\">";
if ($file_exists) if ($file_exists)
print "<li><a href=\"../op/op.Download.php?documentid=".$documentid."&file=".$file->getID()."\"><img class=\"mimeicon\" src=\"images/icons/".UI::getMimeIcon($file->getFileType())."\" title=\"".$file->getMimeType()."\">".$file->getName()."</a>"; print "<li><a href=\"../op/op.Download.php?documentid=".$documentid."&file=".$file->getID()."\"><img class=\"mimeicon\" src=\"images/icons/".UI::getMimeIcon($file->getFileType())."\" title=\"".$file->getMimeType()."\">".htmlspecialchars($file->getName())."</a>";
else print "<li><img class=\"mimeicon\" src=\"images/icons/".UI::getMimeIcon($file->getFileType())."\" title=\"".$file->getMimeType()."\">"; else print "<li><img class=\"mimeicon\" src=\"images/icons/".UI::getMimeIcon($file->getFileType())."\" title=\"".$file->getMimeType()."\">";
print "</ul></td>"; print "</ul></td>";
@ -412,10 +411,10 @@ if (count($files) > 0) {
print "<li>". filesize($dms->contentDir . $file->getPath()) ." bytes ".$file->getMimeType()."</li>"; print "<li>". filesize($dms->contentDir . $file->getPath()) ." bytes ".$file->getMimeType()."</li>";
else print "<li>".$file->getMimeType()." - <span class=\"warning\">".getMLText("document_deleted")."</span></li>"; else print "<li>".$file->getMimeType()." - <span class=\"warning\">".getMLText("document_deleted")."</span></li>";
print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".$responsibleUser->getEmail()."\">".$responsibleUser->getFullName()."</a></li>"; print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".$responsibleUser->getEmail()."\">".htmlspecialchars($responsibleUser->getFullName())."</a></li>";
print "<li>".getLongReadableDate($file->getDate())."</li>"; print "<li>".getLongReadableDate($file->getDate())."</li>";
print "<td>".$file->getComment()."</td>"; print "<td>".htmlspecialchars($file->getComment())."</td>";
print "<td><span class=\"actions\">"; print "<td><span class=\"actions\">";
if (($document->getAccessMode($user) == M_ALL)||($file->getUserID()==$user->getID())) if (($document->getAccessMode($user) == M_ALL)||($file->getUserID()==$user->getID()))
@ -456,9 +455,9 @@ if (count($links) > 0) {
$targetDoc = $link->getTarget(); $targetDoc = $link->getTarget();
print "<tr>"; print "<tr>";
print "<td><a href=\"out.ViewDocument.php?documentid=".$targetDoc->getID()."\" class=\"linklist\">".$targetDoc->getName()."</a></td>"; print "<td><a href=\"out.ViewDocument.php?documentid=".$targetDoc->getID()."\" class=\"linklist\">".htmlspecialchars($targetDoc->getName())."</a></td>";
print "<td>".$targetDoc->getComment()."</td>"; print "<td>".htmlspecialchars($targetDoc->getComment())."</td>";
print "<td>".$responsibleUser->getFullName(); print "<td>".htmlspecialchars($responsibleUser->getFullName());
if (($user->getID() == $responsibleUser->getID()) || ($document->getAccessMode($user) == M_ALL )) if (($user->getID() == $responsibleUser->getID()) || ($document->getAccessMode($user) == M_ALL ))
print "<br>".getMLText("document_link_public").":".(($link->isPublic()) ? getMLText("yes") : getMLText("no")); print "<br>".getMLText("document_link_public").":".(($link->isPublic()) ? getMLText("yes") : getMLText("no"));
print "</td>"; print "</td>";

2
out/out.ViewEvent.php
View File

@ -71,7 +71,7 @@ echo "</tr>";
echo "<tr>"; echo "<tr>";
echo "<td>".getMLText("user").": </td>"; echo "<td>".getMLText("user").": </td>";
echo "<td>".(is_object($u)?$u->getFullName():getMLText("unknown_user"))."</td>"; echo "<td>".(is_object($u)?htmlspecialchars($u->getFullName()):getMLText("unknown_user"))."</td>";
echo "</tr>"; echo "</tr>";
echo "</table>"; echo "</table>";

18
out/out.ViewFolder.php
View File

@ -61,10 +61,10 @@ UI::contentHeading(getMLText("folder_infos"));
$owner = $folder->getOwner(); $owner = $folder->getOwner();
UI::contentContainer("<table>\n<tr>\n". UI::contentContainer("<table>\n<tr>\n".
"<td>".getMLText("owner").":</td>\n". "<td>".getMLText("owner").":</td>\n".
"<td><a class=\"infos\" href=\"mailto:".$owner->getEmail()."\">".$owner->getFullName()."</a>". "<td><a class=\"infos\" href=\"mailto:".htmlspecialchars($owner->getEmail())."\">".htmlspecialchars($owner->getFullName())."</a>".
"</td>\n</tr>\n<tr>\n". "</td>\n</tr>\n<tr>\n".
"<td>".getMLText("comment").":</td>\n". "<td>".getMLText("comment").":</td>\n".
"<td>".$folder->getComment()."</td>\n</tr>\n</table>\n"); "<td>".htmlspecialchars($folder->getComment())."</td>\n</tr>\n</table>\n");
UI::contentHeading(getMLText("folder_contents")); UI::contentHeading(getMLText("folder_contents"));
UI::contentContainerStart(); UI::contentContainerStart();
@ -101,11 +101,11 @@ foreach($subFolders as $subFolder) {
print "<tr class=\"folder\">"; print "<tr class=\"folder\">";
// print "<td><img src=\"images/folder_closed.gif\" width=18 height=18 border=0></td>"; // print "<td><img src=\"images/folder_closed.gif\" width=18 height=18 border=0></td>";
print "<td><a href=\"out.ViewFolder.php?folderid=".$subFolder->getID()."&showtree=".$showtree."\"><img src=\"images/folder_closed.gif\" width=18 height=18 border=0></a></td>\n"; print "<td><a href=\"out.ViewFolder.php?folderid=".$subFolder->getID()."&showtree=".$showtree."\"><img src=\"images/folder_closed.gif\" width=18 height=18 border=0></a></td>\n";
print "<td><a href=\"out.ViewFolder.php?folderid=".$subFolder->getID()."&showtree=".$showtree."\">" . $subFolder->getName() . "</a></td>\n"; print "<td><a href=\"out.ViewFolder.php?folderid=".$subFolder->getID()."&showtree=".$showtree."\">" . htmlspecialchars($subFolder->getName()) . "</a></td>\n";
print "<td>".$owner->getFullName()."</td>"; print "<td>".htmlspecialchars($owner->getFullName())."</td>";
print "<td colspan=\"1\"><small>".count($subsub)." ".getMLText("folders").", ".count($subdoc)." ".getMLText("documents")."</small></td>"; print "<td colspan=\"1\"><small>".count($subsub)." ".getMLText("folders").", ".count($subdoc)." ".getMLText("documents")."</small></td>";
print "<td></td>"; print "<td></td>";
print "<td>".$comment."</td>"; print "<td>".htmlspecialchars($comment)."</td>";
print "</tr>\n"; print "</tr>\n";
} }
@ -125,15 +125,15 @@ foreach($documents as $document) {
print "<td><a href=\"../op/op.Download.php?documentid=".$docID."&version=".$version."\"><img class=\"mimeicon\" src=\"images/icons/".UI::getMimeIcon($latestContent->getFileType())."\" title=\"".$latestContent->getMimeType()."\"></a></td>"; print "<td><a href=\"../op/op.Download.php?documentid=".$docID."&version=".$version."\"><img class=\"mimeicon\" src=\"images/icons/".UI::getMimeIcon($latestContent->getFileType())."\" title=\"".$latestContent->getMimeType()."\"></a></td>";
else print "<td><img class=\"mimeicon\" src=\"images/icons/".UI::getMimeIcon($latestContent->getFileType())."\" title=\"".$latestContent->getMimeType()."\"></td>"; else print "<td><img class=\"mimeicon\" src=\"images/icons/".UI::getMimeIcon($latestContent->getFileType())."\" title=\"".$latestContent->getMimeType()."\"></td>";
print "<td><a href=\"out.ViewDocument.php?documentid=".$docID."&showtree=".$showtree."\">" . $document->getName() . "</a></td>\n"; print "<td><a href=\"out.ViewDocument.php?documentid=".$docID."&showtree=".$showtree."\">" . htmlspecialchars($document->getName()) . "</a></td>\n";
print "<td>".$owner->getFullName()."</td>"; print "<td>".htmlspecialchars($owner->getFullName())."</td>";
print "<td>"; print "<td>";
if ( $document->isLocked() ) { if ( $document->isLocked() ) {
print "<img src=\"".UI::getImgPath("lock.png")."\" title=\"". getMLText("locked_by").": ".$document->getLockingUser()->getFullName()."\"> "; print "<img src=\"".UI::getImgPath("lock.png")."\" title=\"". getMLText("locked_by").": ".htmlspecialchars($document->getLockingUser()->getFullName())."\"> ";
} }
print getOverallStatusText($status["status"])."</td>"; print getOverallStatusText($status["status"])."</td>";
print "<td>".$version."</td>"; print "<td>".$version."</td>";
print "<td>".$comment."</td>"; print "<td>".htmlspecialchars($comment)."</td>";
print "</tr>\n"; print "</tr>\n";
} }