From bc342f9fbfc99ffc1a4b33cecdd963e30901820b Mon Sep 17 00:00:00 2001 From: Olav Vitters Date: Sat, 6 Jun 2009 15:00:37 +0200 Subject: [PATCH] Make $error safe for HTML output purposes --- foundation.gnome.org/vote/blt.wml | 10 +++++----- foundation.gnome.org/vote/include/step4-commit.php | 8 ++++---- foundation.gnome.org/vote/results.wml | 6 +++--- foundation.gnome.org/vote/vote.wml | 8 ++++---- foundation.gnome.org/vote/votes.wml | 12 ++++++------ 5 files changed, 22 insertions(+), 22 deletions(-) diff --git a/foundation.gnome.org/vote/blt.wml b/foundation.gnome.org/vote/blt.wml index 4cc3ce9..39a9682 100644 --- a/foundation.gnome.org/vote/blt.wml +++ b/foundation.gnome.org/vote/blt.wml @@ -50,7 +50,7 @@ if ($display && $election_id >= 0) { $error .= "The specified election/referendum does not exist.\n"; $display = FALSE; } else if (!elec_election_has_ended ($election)) { - $error .= "The voting period for the specified ".elec_election_get_type ($election)." starts on ".$election["voting_start"]." (UTC) and ends on ".$election["voting_end"]." (UTC). It is not possible to see the results now.\n"; + $error .= "The voting period for the specified ".htmlspecialchars(elec_election_get_type ($election))." starts on ".htmlspecialchars($election["voting_start"])." (UTC) and ends on ".htmlspecialchars($election["voting_end"])." (UTC). It is not possible to see the results now.\n"; $display = FALSE; } } @@ -59,7 +59,7 @@ if ($display && $election_id >= 0) { if ($display) { $choices = elec_choices_get ($handle, $election_id); if ($choices === FALSE) { - $error .= "The ".elec_election_get_type ($election)." is not properly set up.\n"; + $error .= "The ".htmlspecialchars(elec_election_get_type ($election))." is not properly set up.\n"; $display = FALSE; } } @@ -73,7 +73,7 @@ if (isset ($election) && $election !== FALSE) { if ($display) { $anon_tokens = elec_get_anon_tokens_for_election ($handle, $election_id); if ($anon_tokens === FALSE) { - $error .= "Can not get the anonymous tokens for this ".elec_election_get_type ($election).".\n"; + $error .= "Can not get the anonymous tokens for this ".htmlspecialchars(elec_election_get_type ($election)).".\n"; $display = FALSE; } } @@ -93,7 +93,7 @@ if ($display) { $votes = elec_get_votes_for_anon_token ($handle, $anon_token["id"]); if ($votes === FALSE) { echo "1 999 0\n"; - $error .= "Can not get votes for anonymous token ".$anon_token["anon_token"]."\n"; + $error .= "Can not get votes for anonymous token ".htmlspecialchars($anon_token["anon_token"])."\n"; } else if (count ($votes) == 0) { echo "1 0\n"; } else { @@ -103,7 +103,7 @@ if ($display) { echo $choices_pos[$vote["choice_id"]]." "; else { echo "999 "; - $error .= "There was an unkown vote for anonymous token ".$anon_token["anon_token"].": ".$vote["choice_id"]."\n"; + $error .= "There was an unkown vote for anonymous token ".htmlspecialchars($anon_token["anon_token"]).": ".htmlspecialchars($vote["choice_id"])."\n"; } } echo "0\n"; diff --git a/foundation.gnome.org/vote/include/step4-commit.php b/foundation.gnome.org/vote/include/step4-commit.php index 208616e..2532fbe 100644 --- a/foundation.gnome.org/vote/include/step4-commit.php +++ b/foundation.gnome.org/vote/include/step4-commit.php @@ -58,7 +58,7 @@ function step4_do () { } while ($anon_token_id === FALSE && $i < 10); if ($anon_token_id === FALSE) { - $error .= "Can not create an anonymous token: ".mysql_error ($handle)."
\n"; + $error .= "Can not create an anonymous token: ".htmlspecialchars(mysql_error ($handle))."
\n"; elec_sql_rollback ($handle); return $result; } @@ -71,7 +71,7 @@ function step4_do () { $res = elec_insert_new_vote ($handle, $anon_token_id, $vote, $index); if (!$res) { - $error .= "Can not insert a vote: ".mysql_error ($handle)."
\n"; + $error .= "Can not insert a vote: ".htmlspecialchars(mysql_error ($handle))."
\n"; elec_sql_rollback ($handle); return $result; } @@ -81,14 +81,14 @@ function step4_do () { $res = elec_sql_remove_tmp_token ($handle, $election_id, $email, $tmp_token); if (!$res) { - $error .= "Can not remove temporary token: ".mysql_error ($handle)."
\n"; + $error .= "Can not remove temporary token: ".htmlspecialchars(mysql_error ($handle))."
\n"; elec_sql_rollback ($handle); return $result; } $res = elec_sql_commit ($handle); if (!$res) { - $error .= "Can not commit the vote: ".mysql_error ($handle)."
\n"; + $error .= "Can not commit the vote: ".htmlspecialchars(mysql_error ($handle))."
\n"; return $result; } diff --git a/foundation.gnome.org/vote/results.wml b/foundation.gnome.org/vote/results.wml index 200a21b..b17bbb4 100644 --- a/foundation.gnome.org/vote/results.wml +++ b/foundation.gnome.org/vote/results.wml @@ -35,7 +35,7 @@ if ($display && $election_id >= 0) { $error .= "The specified election/referendum does not exist.
\n"; $display = FALSE; } else if (!elec_election_has_ended ($election)) { - $error .= "The voting period for the specified ".elec_election_get_type ($election)." starts on ".$election["voting_start"]." (UTC) and ends on ".$election["voting_end"]." (UTC). It is not possible to see the results now.
\n"; + $error .= "The voting period for the specified ".htmlspecialchars(elec_election_get_type ($election))." starts on ".htmlspecialchars($election["voting_start"])." (UTC) and ends on ".htmlspecialchars($election["voting_end"])." (UTC). It is not possible to see the results now.
\n"; $display = FALSE; } else @@ -49,7 +49,7 @@ if (isset ($election) && $election !== FALSE) { { echo "

Results for the ".htmlspecialchars($election["name"])."

\n"; } else { - $error .= "The voting period for the specified ".elec_election_get_type ($election)." has closed, but the results of the election have not yet been calculated. It is not possible to see the results now.
\n"; + $error .= "The voting period for the specified ".htmlspecialchars(elec_election_get_type ($election))." has closed, but the results of the election have not yet been calculated. It is not possible to see the results now.
\n"; echo "

In the meantime, you can look at the list of all votes and verify that your vote is correct.

\n"; $display = FALSE; } @@ -64,7 +64,7 @@ if ($display) { } if (isset ($error) && $error != "") { - echo "
".htmlspecialchars($error)."
\n";; + echo "
".$error."
\n";; echo "

If you don't understand the error, you should probably contact the Membership and Elections Committee, which can be reached at elections@gnome.org.

\n"; } diff --git a/foundation.gnome.org/vote/vote.wml b/foundation.gnome.org/vote/vote.wml index ae119a7..06166af 100644 --- a/foundation.gnome.org/vote/vote.wml +++ b/foundation.gnome.org/vote/vote.wml @@ -43,7 +43,7 @@ if ($election_id == -1) { $error .= "The specified election/referendum does not exist.
\n"; $step = 0; } else if (!elec_election_is_current ($election)) { - $error .= "The voting period for the specified ".elec_election_get_type ($election)." starts on ".$election["voting_start"]." (UTC) and ends on ".$election["voting_end"]." (UTC). It is not possible to vote now.
\n"; + $error .= "The voting period for the specified ".htmlspecialchars(elec_election_get_type ($election))." starts on ".htmlspecialchars($election["voting_start"])." (UTC) and ends on ".htmlspecialchars($election["voting_end"])." (UTC). It is not possible to vote now.
\n"; $step = 0; } } @@ -65,7 +65,7 @@ if ($step > 1) { $choices = elec_choices_get ($handle, $election_id); if (!elec_verify_elections ($choices)) { - $error .= "The ".elec_election_get_type ($election)." is not properly set up.\n"; + $error .= "The ".htmlspecialchars(elec_election_get_type ($election))." is not properly set up.\n"; $step = 0; } @@ -220,7 +220,7 @@ if ($step >= 2) { $res = elec_verify_vote_is_valid ($choices, $vote, $votes_array); if ($res != "") { - $error .= "The vote you made is not valid: ".$res."
\n"; + $error .= "The vote you made is not valid: ".htmlspecialchars($res)."
\n"; $step = 2; } } @@ -254,7 +254,7 @@ if (isset ($handle)) elec_sql_close ($handle); if (isset ($error) && $error != "") { - echo "
".htmlspecialchars($error)."
\n";; + echo "
".$error."
\n";; echo "

If you don't understand the error, you should probably contact the Membership and Elections Committee, which can be reached at elections@gnome.org.

\n"; } diff --git a/foundation.gnome.org/vote/votes.wml b/foundation.gnome.org/vote/votes.wml index 60e6376..4107726 100644 --- a/foundation.gnome.org/vote/votes.wml +++ b/foundation.gnome.org/vote/votes.wml @@ -35,7 +35,7 @@ if ($display && $election_id >= 0) { $error .= "The specified election/referendum does not exist.
\n"; $display = FALSE; } else if (!elec_election_has_ended ($election)) { - $error .= "The voting period for the specified ".elec_election_get_type ($election)." starts on ".$election["voting_start"]." (UTC) and ends on ".$election["voting_end"]." (UTC). It is not possible to see the results now.
\n"; + $error .= "The voting period for the specified ".htmlspecialchars(elec_election_get_type ($election))." starts on ".htmlspecialchars($election["voting_start"])." (UTC) and ends on ".htmlspecialchars($election["voting_end"])." (UTC). It is not possible to see the results now.
\n"; $display = FALSE; } } @@ -47,7 +47,7 @@ if (isset ($election) && $election !== FALSE) { if ($display) { $anon_tokens = elec_get_anon_tokens_for_election ($handle, $election_id); if ($anon_tokens === FALSE) { - $error .= "Can not get the anonymous tokens for this ".elec_election_get_type ($election).".\n"; + $error .= "Can not get the anonymous tokens for this ".htmlspecialchars(elec_election_get_type ($election)).".\n"; $display = FALSE; } } @@ -55,7 +55,7 @@ if ($display) { if ($display) { $choices = elec_choices_get ($handle, $election_id); if ($choices === FALSE) { - $error .= "The ".elec_election_get_type ($election)." is not properly set up.\n"; + $error .= "The ".htmlspecialchars(elec_election_get_type ($election))." is not properly set up.\n"; $display = FALSE; } } @@ -89,7 +89,7 @@ if ($display) { if ($votes === FALSE) { echo "Can not access votes
for this anonymous token."; - $error .= "Can not get votes for anonymous token ".$anon_token["anon_token"]."
\n"; + $error .= "Can not get votes for anonymous token ".htmlspecialchars($anon_token["anon_token"])."
\n"; } else if (count ($votes) == 0) { echo "This member chose to vote for
none of the possible choices."; } else { @@ -99,7 +99,7 @@ if ($display) { echo "
  • ".htmlspecialchars($votes["preference"])." ".htmlspecialchars($choices_name[$vote["choice_id"]])."
  • \n"; else { echo "
  • Unknown value (".htmlspecialchars($vote["choice_id"]).")
  • \n"; - $error .= "There was an unkown vote for anonymous token ".$anon_token["anon_token"].": ".$vote["choice_id"]."
    \n"; + $error .= "There was an unkown vote for anonymous token ".htmlspecialchars($anon_token["anon_token"]).": ".htmlspecialchars($vote["choice_id"])."
    \n"; } } echo ""; @@ -114,7 +114,7 @@ if ($display) { } if (isset ($error) && $error != "") { - echo "
    ".htmlspecialchars($error)."
    \n";; + echo "
    ".$error."
    \n";; echo "

    If you don't understand the error, you should probably contact the Membership and Elections Committee, which can be reached at elections@gnome.org.

    \n"; }