From 2ff43abcf5860f4002d4fbb2aee930b22ab93ea6 Mon Sep 17 00:00:00 2001 From: Alexander Klimov Date: Wed, 23 Jul 2014 12:12:05 +0200 Subject: [PATCH] Do not use htmlspecialchars in widgets refs #6759 --- library/Icinga/Web/Widget/AbstractWidget.php | 2 +- library/Icinga/Web/Widget/AlertMessageBox.php | 2 +- library/Icinga/Web/Widget/Chart/InlinePie.php | 16 ++++++++-------- library/Icinga/Web/Widget/Tabs.php | 2 +- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/library/Icinga/Web/Widget/AbstractWidget.php b/library/Icinga/Web/Widget/AbstractWidget.php index 37fb7ad36..962bcc210 100644 --- a/library/Icinga/Web/Widget/AbstractWidget.php +++ b/library/Icinga/Web/Widget/AbstractWidget.php @@ -118,7 +118,7 @@ abstract class AbstractWidget try { $html = $this->render($this->view()); } catch (Exception $e) { - return htmlspecialchars($e->getMessage()); + return $this->escape($e->getMessage()); } return (string) $html; } diff --git a/library/Icinga/Web/Widget/AlertMessageBox.php b/library/Icinga/Web/Widget/AlertMessageBox.php index 09016f490..69113912e 100644 --- a/library/Icinga/Web/Widget/AlertMessageBox.php +++ b/library/Icinga/Web/Widget/AlertMessageBox.php @@ -124,7 +124,7 @@ class AlertMessageBox extends AbstractWidget $alert = $this->states[$level]; $html .= '
' . $this->view()->icon($alert['icon']) . - '' . htmlspecialchars($message->getMessage()) . '' . + '' . $this->escape($message->getMessage()) . '' . '
'; } return $html; diff --git a/library/Icinga/Web/Widget/Chart/InlinePie.php b/library/Icinga/Web/Widget/Chart/InlinePie.php index e4621ba09..8a36dbf01 100644 --- a/library/Icinga/Web/Widget/Chart/InlinePie.php +++ b/library/Icinga/Web/Widget/Chart/InlinePie.php @@ -24,7 +24,7 @@ class InlinePie extends AbstractWidget const NUMBER_FORMAT_TIME = 'time'; const NUMBER_FORMAT_BYTES = 'bytes'; const NUMBER_FORMAT_RATIO = 'ratio'; - + /** * The template string used for rendering this widget * The template string used for rendering this widget @@ -137,7 +137,7 @@ EOD; * @var string */ private $tooltipFormat = '{{title}}
{{label}}: {{formatted}} ({{percent}}%)'; - + /** * The number format used to render numeric values in tooltips * @@ -212,7 +212,7 @@ EOD; { $this->format = $format; } - + /** * A format string used to render the content of the piechart tooltips * @@ -346,11 +346,11 @@ EOD; { $template = $this->template; $template = str_replace('{url}', $this->url, $template); - + // style $template = str_replace('{width}', $this->width, $template); $template = str_replace('{height}', $this->height, $template); - $template = str_replace('{title}', htmlspecialchars($this->title), $template); + $template = str_replace('{title}', $this->escape($this->title), $template); $template = str_replace('{style}', $this->style, $template); $template = str_replace('{colors}', implode(',', $this->colors), $template); $template = str_replace('{borderWidth}', $this->borderWidth, $template); @@ -370,9 +370,9 @@ EOD; foreach ($this->data as $key => $value) { $formatted[$key] = $this->formatValue($value); } - $template = str_replace('{data}', htmlspecialchars(implode(',', $data)), $template); - $template = str_replace('{formatted}', htmlspecialchars(implode('|', $formatted)), $template); - $template = str_replace('{labels}', htmlspecialchars($this->createLabelString()), $template); + $template = str_replace('{data}', $this->escape(implode(',', $data)), $template); + $template = str_replace('{formatted}', $this->escape(implode('|', $formatted)), $template); + $template = str_replace('{labels}', $this->escape($this->createLabelString()), $template); $template = str_replace('{tooltipFormat}', $this->tooltipFormat, $template); return $template; } diff --git a/library/Icinga/Web/Widget/Tabs.php b/library/Icinga/Web/Widget/Tabs.php index cd480ba32..25f88533b 100644 --- a/library/Icinga/Web/Widget/Tabs.php +++ b/library/Icinga/Web/Widget/Tabs.php @@ -259,7 +259,7 @@ EOT; try { $html = $this->render(Icinga::app()->getViewRenderer()->view); } catch (Exception $e) { - return htmlspecialchars($e->getMessage()); + return $this->escape($e->getMessage()); } return $html; }