Skip to content
Snippets Groups Projects
Commit 5d30a7a2 authored by David Siegfried's avatar David Siegfried
Browse files

prevent xss, closes #895

parent f12ae512
No related branches found
No related tags found
No related merge requests found
<?php <?
/* /*
* Copyright (c) 2012 Rasmus Fuhse <fuhse@data-quest.de> * Copyright (c) 2012 Rasmus Fuhse <fuhse@data-quest.de>
...@@ -8,7 +8,8 @@ ...@@ -8,7 +8,8 @@
* published by the Free Software Foundation; either version 2 of * published by the Free Software Foundation; either version 2 of
* the License, or (at your option) any later version. * the License, or (at your option) any later version.
*/ */
use Studip\Button, Studip\LinkButton;
use Studip\Button;
?> ?>
...@@ -18,25 +19,23 @@ use Studip\Button, Studip\LinkButton; ...@@ -18,25 +19,23 @@ use Studip\Button, Studip\LinkButton;
<table class="default nohover plus"> <table class="default nohover plus">
<!-- <caption><?= _("Inhaltselemente") ?></caption> --> <!-- <caption><?= _("Inhaltselemente") ?></caption> -->
<tbody> <tbody>
<? foreach ($available_modules as $category => $pluginlist) : ?>
<? <?
foreach ($available_modules as $category => $pluginlist) { $visibility = '';
$visibility = "";
if ($_SESSION['plus']['displaystyle'] != 'category' && $category != 'Funktionen von A-Z') { if ($_SESSION['plus']['displaystyle'] != 'category' && $category != 'Funktionen von A-Z') {
$visibility = "invisible"; $visibility = 'invisible';
} }
if (isset($_SESSION['plus']) && !$_SESSION['plus']['Kategorie'][$category] && $category != 'Funktionen von A-Z') { if (isset($_SESSION['plus']) && !$_SESSION['plus']['Kategorie'][$category] && $category != 'Funktionen von A-Z') {
$visibility = "invisible"; $visibility = 'invisible';
} }
?> ?>
<tr class="<?= $visibility; ?>"> <tr class="<?= $visibility; ?>">
<th colspan=3> <th colspan=3>
<?= htmlReady($category) ?> <?= htmlReady($category) ?>
</th> </th>
</tr> </tr>
<? foreach ($pluginlist as $key => $val) : ?>
<? foreach ($pluginlist as $key => $val) { <?
if ($val['type'] == 'plugin') { if ($val['type'] == 'plugin') {
$plugin = $val['object']; $plugin = $val['object'];
$plugin_activated = $plugin->isActivated(); $plugin_activated = $plugin->isActivated();
...@@ -44,64 +43,60 @@ foreach ($available_modules as $category => $pluginlist) { ...@@ -44,64 +43,60 @@ foreach ($available_modules as $category => $pluginlist) {
//Checkbox //Checkbox
$anchor = 'p_' . $plugin->getPluginId(); $anchor = 'p_' . $plugin->getPluginId();
$cb_name = 'plugin_' . $plugin->getPluginId();
$cb_disabled = ''; $cb_disabled = '';
$cb_checked = $plugin_activated ? "checked" : ""; $cb_checked = $plugin_activated ? "checked" : "";
$pluginname = $val['displayname']; $pluginname = $val['displayname'];
$URL = $plugin->isCorePlugin() ? $GLOBALS['ABSOLUTE_URI_STUDIP'] : $plugin->getPluginURL(); $url = $plugin->isCorePlugin() ? $GLOBALS['ABSOLUTE_URI_STUDIP'] : $plugin->getPluginURL();
$pluginvisibility = $val['visibility']; $pluginvisibility = $val['visibility'];
} }
?> ?>
<tr id="<?= htmlReady($anchor);?>" class="<?= $visibility; ?> <?= $pre_check != null ? ' quiet' : '' ?>"> <tr id="<?= htmlReady($anchor); ?>"
class="<?= $visibility; ?> <?= $pre_check != null ? ' quiet' : '' ?>">
<td class="element" colspan=3> <td class="element" colspan=3>
<div class="plus_basic"> <div class="plus_basic">
<!-- checkbox -->
<input type="checkbox" <input type="checkbox"
id="<?= $pluginname ?>" id="<?= $key ?>"
name="<?= $cb_name ?>" name="<?= $key ?>"
data-moduleclass="<?= htmlReady($val['moduleclass']) ?>" data-moduleclass="<?= htmlReady($val['moduleclass']) ?>"
data-key="<?= htmlReady($val['modulkey']) ?>" data-key="<?= htmlReady($val['modulkey']) ?>"
value="TRUE" <?= $cb_disabled ?> <?= $cb_checked ?> value="TRUE" <?= $cb_disabled ?> <?= $cb_checked ?>
onClick="STUDIP.Plus.setModule.call(this);"> onClick="STUDIP.Plus.setModule.call(this);">
<div class="element_header"> <div class="element_header">
<!-- Name --> <!-- Name -->
<label for="<?= $pluginname ?>"> <label for="<?= $key ?>">
<strong><?= htmlReady($pluginname) ?></strong> <strong><?= htmlReady($pluginname) ?></strong>
<? if ($cb_checked) : ?> <? if ($cb_checked) : ?>
<?= Icon::create( <?= Icon::create(
$pluginvisibility === 'autor' ? 'visibility-visible' : 'visibility-invisible', $pluginvisibility === 'autor' ? 'visibility-visible' : 'visibility-invisible',
Icon::ROLE_INFO, Icon::ROLE_INFO,
['title' => sprintf(_('%s für Studierende'), $pluginvisibility === 'autor' ? _('Sichtbar') : _('Unsichtbar'))] [
'title' => sprintf(
_('%s für Studierende'),
$pluginvisibility === 'autor' ? _('Sichtbar') : _('Unsichtbar')
)
]
) ?> ) ?>
<? endif ?> <? endif ?>
</label> </label>
</div> </div>
<div class="element_description"> <div class="element_description">
<!-- icon -->
<? if (isset($info['icon'])) : ?> <? if (isset($info['icon'])) : ?>
<? /* TODO: Plugins should use class "Icon" */ ?> <? /* TODO: Plugins should use class "Icon" */ ?>
<? if (is_string($info['icon'])) : ?> <? if (is_string($info['icon'])) : ?>
<img class="plugin_icon text-bottom" alt="" src="<?= $URL . "/" . $info['icon'] ?> "> <img class="plugin_icon text-bottom" alt=""
src="<?= htmlReady($url . "/" . $info['icon']) ?> ">
<? else: ?> <? else: ?>
<?= $info['icon']->asImg(['class' => 'plugin_icon text-bottom', 'alt' => '']) ?> <?= $info['icon']->asImg(['class' => 'plugin_icon text-bottom', 'alt' => '']) ?>
<? endif ?> <? endif ?>
<? endif ?> <? endif ?>
<!-- shortdesc -->
<strong class="shortdesc"> <strong class="shortdesc">
<? if (isset($info['descriptionshort'])) : ?> <? if (isset($info['descriptionshort'])) : ?>
<? foreach (explode('\n', $info['descriptionshort']) as $descriptionshort) { ?> <? foreach (explode('\n', $info['descriptionshort']) as $descriptionshort) : ?>
<?= htmlReady($descriptionshort) ?> <?= htmlReady($descriptionshort) ?>
<? } ?> <? endforeach ?>
<? endif ?> <? endif ?>
<? if (!isset($info['descriptionshort'])) : ?> <? if (!isset($info['descriptionshort'])) : ?>
<? if (isset($info['summary'])) : ?> <? if (isset($info['summary'])) : ?>
...@@ -109,28 +104,25 @@ foreach ($available_modules as $category => $pluginlist) { ...@@ -109,28 +104,25 @@ foreach ($available_modules as $category => $pluginlist) {
<? elseif (isset($info['description'])) : ?> <? elseif (isset($info['description'])) : ?>
<?= htmlReady($info['description']) ?> <?= htmlReady($info['description']) ?>
<? else: ?> <? else: ?>
<?= _("Keine Beschreibung vorhanden.") ?> <?= _('Keine Beschreibung vorhanden.') ?>
<? endif ?> <? endif ?>
<? endif ?> <? endif ?>
</strong> </strong>
</div> </div>
<? if ($plugin_activated) : ?> <? if ($plugin_activated) : ?>
<?php <?
$actionMenu = ActionMenu::get(); $actionMenu = ActionMenu::get();
$actionMenu->addLink( $actionMenu->addLink(
$controller->url_for('/edittool/' . $key), $controller->url_for('/edittool/' . $key),
_('Optionen bearbeiten'), _('Optionen bearbeiten'),
Icon::create('edit', Icon::ROLE_CLICKABLE, ['size' => 20]), Icon::create('edit'),
['data-dialog' => 'size=auto'] ['data-dialog' => 'size=auto']
); );
if (method_exists($plugin, 'deleteContent')) { if (method_exists($plugin, 'deleteContent')) {
$actionMenu->addLink( $actionMenu->addLink(
$controller->url_for('/index', ['deleteContent' => 1, 'name' => $key]), $controller->url_for('/index', ['deleteContent' => 1, 'name' => $key]),
_('Inhalte löschen'), _('Inhalte löschen'),
Icon::create('trash', Icon::ROLE_CLICKABLE, ['size' => 20]) Icon::create('trash')
); );
} }
?> ?>
...@@ -140,126 +132,111 @@ foreach ($available_modules as $category => $pluginlist) { ...@@ -140,126 +132,111 @@ foreach ($available_modules as $category => $pluginlist) {
<? endif ?> <? endif ?>
</div> </div>
<? if ($_SESSION['plus']['View'] == 'openall' || !isset($_SESSION['plus'])) { ?> <? if ($_SESSION['plus']['View'] === 'openall' || !isset($_SESSION['plus'])) : ?>
<div class="plus_expert hidden-tiny-down"> <div class="plus_expert hidden-tiny-down">
<div class="screenshot_holder"> <div class="screenshot_holder">
<? if (isset($info['screenshot']) || isset($info['screenshots'])) : <? if (isset($info['screenshot']) || isset($info['screenshots'])) :
if (isset($info['screenshots'])) { if (isset($info['screenshots'])) {
$title = $info['screenshots']['pictures'][0]['title']; $title = $info['screenshots']['pictures'][0]['title'];
$source = $info['screenshots']['path'] . '/' . $info['screenshots']['pictures'][0]['source']; $source = $info['screenshots']['path'] . '/' . $info['screenshots']['pictures'][0]['source'];
} else { } else {
$fileext = end(explode(".", $info['screenshot'])); $fileext = pathinfo($info['screenshot'], PATHINFO_EXTENSION);
$title = str_replace("_"," ",basename($info['screenshot'], ".".$fileext)); $title = str_replace('_', ' ', basename($info['screenshot'], ".$fileext"));
$source = $info['screenshot']; $source = $info['screenshot'];
} }
?> ?>
<a href="<?= $URL . "/" . $source ?>" <a href="<?= htmlReady("$url/$source") ?>"
data-lightbox="<?= $pluginname ?>" data-title="<?= $title ?>"> data-lightbox="<?= htmlReady($pluginname) ?>"
<img class="big_thumb" src="<?= $URL . "/" . $source ?>" data-title="<?= htmlReady($title) ?>">
alt="<?= $pluginname ?>"/> <img class="big_thumb" src="<?= htmlReady("$url/$source") ?>"
alt="<?= htmlReady($pluginname) ?>"/>
</a> </a>
<? <? if (isset($info['additionalscreenshots'])
if (isset($info['additionalscreenshots']) || (isset($info['screenshots']) && count($info['screenshots']) > 1) ) { || (isset($info['screenshots']) && count($info['screenshots']) > 1)) :?>
?>
<div class="thumb_holder"> <div class="thumb_holder">
<? if (isset($info['screenshots'])){ <?
if (isset($info['screenshots'])) {
$counter = count($info['screenshots']['pictures']); $counter = count($info['screenshots']['pictures']);
$cstart = 1; $cstart = 1;
} else { } else {
$counter = count($info['additionalscreenshots']); $counter = count($info['additionalscreenshots']);
$cstart = 0; $cstart = 0;
} ?> }
?>
<? for ($i = $cstart; $i < $counter; $i++) {
<? for ($i = $cstart; $i < $counter; $i++) :?>
<?
if (isset($info['screenshots'])) { if (isset($info['screenshots'])) {
$title = $info['screenshots']['pictures'][$i]['title']; $title = $info['screenshots']['pictures'][$i]['title'];
$source = $info['screenshots']['path'] . '/' . $info['screenshots']['pictures'][$i]['source']; $source = $info['screenshots']['path'] . '/' . $info['screenshots']['pictures'][$i]['source'];
} else { } else {
$fileext = end(explode(".", $info['additionalscreenshots'][$i])); $fileext = pathinfo($info['additionalscreenshots'][$i], PATHINFO_EXTENSION);
$title = str_replace("_"," ",basename($info['additionalscreenshots'][$i], ".".$fileext)); $title = str_replace('_', ' ', basename($info['additionalscreenshots'][$i], ".$fileext"));
$source = $info['additionalscreenshots'][$i]; $source = $info['additionalscreenshots'][$i];
} }
?> ?>
<a href="<?= htmlReady("$url/$source") ?>"
<a href="<?= $URL . "/" . $source ?>" data-lightbox="<?= htmlReady($pluginname) ?>"
data-lightbox="<?= $pluginname ?>" data-title="<?= htmlReady($title) ?>">
data-title="<?= $title ?>">
<img class="small_thumb" <img class="small_thumb"
src="<?= $URL . "/" . $source ?>" src="<?= htmlReady("$url/$source") ?>"
alt="<?= $pluginname ?>"/> alt="<?= htmlReady($pluginname) ?>">
</a> </a>
<? endfor ?>
<? } ?>
</div> </div>
<? endif ?>
<? } ?>
<? endif ?> <? endif ?>
</div> </div>
<div class="descriptionbox"> <div class="descriptionbox">
<!-- tags -->
<? if (isset($info['keywords'])) : ?> <? if (isset($info['keywords'])) : ?>
<ul class="keywords"> <ul class="keywords">
<? foreach (explode(';', $info['keywords']) as $keyword) { <? foreach (explode(';', $info['keywords']) as $keyword) : ?>
echo '<li>' . htmlReady($keyword) . '</li>'; <li><?= htmlReady($keyword) ?> </li>
}?> <? endforeach ?>
</ul> </ul>
<? endif ?> <? endif ?>
<!-- longdesc -->
<? if (isset($info['descriptionlong'])) : ?> <? if (isset($info['descriptionlong'])) : ?>
<? foreach (explode('\n', $info['descriptionlong']) as $descriptionlong) { ?> <? foreach (explode('\n', $info['descriptionlong']) as $descriptionlong) : ?>
<p class="longdesc"> <p class="longdesc">
<?= htmlReady($descriptionlong) ?> <?= htmlReady($descriptionlong) ?>
</p> </p>
<? } ?> <? endforeach ?>
<? endif ?> <? endif ?>
<? if (!isset($info['descriptionlong']) && isset($info['summary'])) : ?> <? if (!isset($info['descriptionlong']) && isset($info['summary'])) : ?>
<p class="longdesc"> <p class="longdesc">
<? if (isset($info['description'])) : ?> <? if (isset($info['description'])) : ?>
<?= htmlReady($info['description']) ?> <?= htmlReady($info['description']) ?>
<? else: ?> <? else: ?>
<?= _("Keine Beschreibung vorhanden.") ?> <?= _('Keine Beschreibung vorhanden.') ?>
<? endif ?> <? endif ?>
</p> </p>
<? endif ?> <? endif ?>
<? if (isset($info['homepage'])) : ?> <? if (isset($info['homepage'])) : ?>
<p> <p>
<strong><?= _('Weitere Informationen:') ?></strong> <strong><?= _('Weitere Informationen:') ?></strong>
<a href="<?= htmlReady($info['homepage']) ?>"><?= htmlReady($info['homepage']) ?></a> <a href="<?= htmlReady($info['homepage']) ?>">
<?= htmlReady($info['homepage']) ?>
</a>
</p> </p>
<? endif ?> <? endif ?>
<!-- helplink -->
<? if (isset($info['helplink'])) : ?> <? if (isset($info['helplink'])) : ?>
<a class="helplink" href=" <?= htmlReady($info['helplink']) ?> ">...mehr</a> <a class="helplink" href=" <?= htmlReady($info['helplink']) ?> ">
...<?= _('mehr') ?>
</a>
<? endif ?> <? endif ?>
</div> </div>
</div> </div>
<? } ?> <? endif ?>
</td> </td>
</tr> </tr>
<? <? endforeach ?>
} <? endforeach ?>
} ?>
</tbody> </tbody>
<tfoot> <tfoot>
<tr class="hidden-js"> <tr class="hidden-js">
<td align="center" colspan="3"> <td colspan="3">
<?= Button::create(_('An- / Ausschalten'), 'uebernehmen') ?> <?= Button::create(_('An- / Ausschalten'), 'uebernehmen') ?>
</td> </td>
</tr> </tr>
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment