Improved listform class.

tbrehm · tbrehm · commit ae69e622d3ba · 2008-11-22T17:00:48.000Z
diff --git a/interface/lib/classes/listform.inc.php b/interface/lib/classes/listform.inc.php
@@ -166,7 +166,7 @@ public function getSearchSQL($sql_where = '')
                     $this->searchValues[$search_prefix.$field] = $out;
             } else {
                 if(isset($_SESSION['search'][$list_name][$search_prefix.$field])){
-                    $this->searchValues[$search_prefix.$field] = $_SESSION['search'][$list_name][$search_prefix.$field];
+                    $this->searchValues[$search_prefix.$field] = htmlspecialchars($_SESSION['search'][$list_name][$search_prefix.$field]);
                 }
             }
         }
@@ -283,7 +283,7 @@ public function decode($record)
                 	switch ($field['datatype']){
                     case 'VARCHAR':
                     case 'TEXT':
-                        $record[$key] = stripslashes($record[$key]);
+                        $record[$key] = htmlentities(stripslashes($record[$key]));
                          break;
 
                     case 'DATE':
@@ -295,15 +295,15 @@ public function decode($record)
                         break;
 
                     case 'DOUBLE':
-                        $record[$key] = $record[$key];
+                        $record[$key] = htmlentities($record[$key]);
                         break;
 
                     case 'CURRENCY':
                         $record[$key] = number_format($record[$key], 2, ',', '');
                         break;
 
                     default:
-                        $record[$key] = stripslashes($record[$key]);
+                        $record[$key] = htmlentities(stripslashes($record[$key]));
                 	}
 				}
             }
@@ -360,6 +360,19 @@ function lng($msg) {
 			return $app->lng($msg);
 		}	
 	}
+	
+	function escapeArrayValues($search_values) {
+		
+		$out = array();
+		if(is_array($search_values)) {
+			foreach($search_values as $key => $val) {
+				$out[$key] = htmlentities($val,ENT_QUOTES);
+			}
+		}
+		
+		return $out;
+		
+	}
 
 }
 

Original file line number	Diff line number	Diff line change
`@@ -166,7 +166,7 @@ public function getSearchSQL($sql_where = '')`
`166`	`166`	`$this->searchValues[$search_prefix.$field] = $out;`
`167`	`167`	`} else {`
`168`	`168`	`if(isset($_SESSION['search'][$list_name][$search_prefix.$field])){`
`169`		`- $this->searchValues[$search_prefix.$field] = $_SESSION['search'][$list_name][$search_prefix.$field];`
	`169`	`+ $this->searchValues[$search_prefix.$field] = htmlspecialchars($_SESSION['search'][$list_name][$search_prefix.$field]);`
`170`	`170`	`}`
`171`	`171`	`}`
`172`	`172`	`}`
`@@ -283,7 +283,7 @@ public function decode($record)`
`283`	`283`	`switch ($field['datatype']){`
`284`	`284`	`case 'VARCHAR':`
`285`	`285`	`case 'TEXT':`
`286`		`- $record[$key] = stripslashes($record[$key]);`
	`286`	`+ $record[$key] = htmlentities(stripslashes($record[$key]));`
`287`	`287`	`break;`
`288`	`288`
`289`	`289`	`case 'DATE':`
`@@ -295,15 +295,15 @@ public function decode($record)`
`295`	`295`	`break;`
`296`	`296`
`297`	`297`	`case 'DOUBLE':`
`298`		`- $record[$key] = $record[$key];`
	`298`	`+ $record[$key] = htmlentities($record[$key]);`
`299`	`299`	`break;`
`300`	`300`
`301`	`301`	`case 'CURRENCY':`
`302`	`302`	`$record[$key] = number_format($record[$key], 2, ',', '');`
`303`	`303`	`break;`
`304`	`304`
`305`	`305`	`default:`
`306`		`- $record[$key] = stripslashes($record[$key]);`
	`306`	`+ $record[$key] = htmlentities(stripslashes($record[$key]));`
`307`	`307`	`}`
`308`	`308`	`}`
`309`	`309`	`}`
`@@ -360,6 +360,19 @@ function lng($msg) {`
`360`	`360`	`return $app->lng($msg);`
`361`	`361`	`}`
`362`	`362`	`}`
	`363`	`+`
	`364`	`+ function escapeArrayValues($search_values) {`
	`365`	`+`
	`366`	`+ $out = array();`
	`367`	`+ if(is_array($search_values)) {`
	`368`	`+ foreach($search_values as $key => $val) {`
	`369`	`+ $out[$key] = htmlentities($val,ENT_QUOTES);`
	`370`	`+ }`
	`371`	`+ }`
	`372`	`+`
	`373`	`+ return $out;`
	`374`	`+`
	`375`	`+ }`
`363`	`376`
`364`	`377`	`}`
`365`	`378`