From a0092ef384114fc718f2fc6cdc52e49ed8facedd Mon Sep 17 00:00:00 2001
From: guruevi <noreply@pandorafms.org>
Date: Thu, 12 Mar 2009 18:44:37 +0000
Subject: [PATCH] 2009-03-12  Evi Vanoost  <vanooste@rcbi.rochester.edu>

	* include/functions.php: Added safe_output_xml which makes variables
	clean for output converting html entities into numeric entities understood
	by all XML validators

	* operation/events/events_rss.php: Used safe_output_xml where needed.

git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@1531 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
---
 pandora_console/ChangeLog                     |  8 +++++
 pandora_console/include/functions.php         | 36 +++++++++++++++++++
 .../operation/events/events_rss.php           | 23 ++++++------
 3 files changed, 57 insertions(+), 10 deletions(-)

diff --git a/pandora_console/ChangeLog b/pandora_console/ChangeLog
index bb2e86c3e6..b06d043ec6 100644
--- a/pandora_console/ChangeLog
+++ b/pandora_console/ChangeLog
@@ -1,3 +1,11 @@
+2009-03-12  Evi Vanoost  <vanooste@rcbi.rochester.edu>
+
+	* include/functions.php: Added safe_output_xml which makes variables
+	clean for output converting html entities into numeric entities understood
+	by all XML validators
+	
+	* operation/events/events_rss.php: Used safe_output_xml where needed.
+
 2009-03-12  Esteban Sanchez  <estebans@artica.es>
 
 	* reporting/fgraph.php: Fixed interval in combined graphs. Fixed
diff --git a/pandora_console/include/functions.php b/pandora_console/include/functions.php
index a186d118d1..310ca76761 100644
--- a/pandora_console/include/functions.php
+++ b/pandora_console/include/functions.php
@@ -49,6 +49,42 @@ function safe_input ($value) {
 	}
 }
 
+/** 
+ * Cleans a string by encoding to UTF-8 and replacing the HTML
+ * entities to their numeric counterparts (possibly double encoding)
+ * 
+ * @param mixed String or array of strings to be cleaned.
+ * 
+ * @return mixed The cleaned string or array.
+ */	
+function safe_output_xml ($string) {
+	if (is_numeric ($value))
+		return $value;
+	
+	if (is_array ($value)) {
+		array_walk ($value, 'safe_output_xml');
+		return $value;
+	}
+	
+	static $table;
+	static $replace;
+	
+	if (empty ($table)) {
+		$table = get_html_translation_table (HTML_ENTITIES, ENT_QUOTES);	
+		$replace = array ();
+		
+		foreach ($table as $key => $value){
+			$table[$key] = "/".$value."/";
+			$char = htmlentities ($key, ENT_QUOTES, "UTF-8");
+			$replace[$char] = "&#".ord ($key).";";
+		}
+	}
+	
+	//now perform a replacement using preg_replace
+	//each matched value in $table will be replaced with the corresponding value in $replace
+	return preg_replace ($table, $replace, $value);
+}
+
 /**
  * Cleans an object or an array and casts all values as integers
  *
diff --git a/pandora_console/operation/events/events_rss.php b/pandora_console/operation/events/events_rss.php
index 11f530a09f..fffda33515 100644
--- a/pandora_console/operation/events/events_rss.php
+++ b/pandora_console/operation/events/events_rss.php
@@ -19,6 +19,8 @@
 ini_set ('display_errors', 0); //Don't display other errors, messes up XML
 header("Content-Type: application/xml; charset=UTF-8"); //Send header before starting to output
 
+
+
 require_once "../../include/config.php";
 require_once "../../include/functions.php";
 require_once "../../include/functions_db.php";
@@ -35,7 +37,7 @@ function rss_error_handler ($errno, $errstr, $errfile, $errline) {
 	$rss_feed .= '<channel><title>Pandora RSS Feed</title><description>Latest events on Pandora</description>';
 	$rss_feed .= '<lastBuildDate>'.date (DATE_RFC822, 0).'</lastBuildDate>';
 	$rss_feed .= '<link>'.$url.'</link>'; //Link back to the main Pandora page
-	$rss_feed .= '<atom:link href="'.htmlentities ($selfurl).'" rel="self" type="application/rss+xml" />'; //Alternative for Atom feeds. It's the same.
+	$rss_feed .= '<atom:link href="'.safe_input ($selfurl).'" rel="self" type="application/rss+xml" />'; //Alternative for Atom feeds. It's the same.
 
 	$rss_feed .= '<item><guid>'.$url.'/index.php?sec=eventos&sec2=operation/events/events</guid><title>Error creating feed</title>';
 	$rss_feed .= '<description>There was an error creating the feed: '.$errno.' - '.$errstr.' in '.$errfile.' on line '.$errline.'</description>';
@@ -45,6 +47,7 @@ function rss_error_handler ($errno, $errstr, $errfile, $errline) {
 }
 
 set_error_handler ('rss_error_handler', E_ALL); //Errors output as RSS
+
 $ev_group = get_parameter ("ev_group", 0); // group
 $search = get_parameter ("search", ""); // free search
 $event_type = get_parameter ("event_type", ''); // 0 all
@@ -93,33 +96,33 @@ if (empty ($result)) {
 	$lastbuild = (int) $result[0]['unix_timestamp'];
 }
 
-$rss_feed = '<?xml version="1.0" encoding="utf-8" ?>'; //' Fixes certain highlighters freaking out on the PHP closing tag
+$rss_feed = '<?xml version="1.0" encoding="utf-8" ?>'; // ' <?php ' -- Fixes highlighters thinking that the closing tag is PHP
 $rss_feed .= '<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">'; 
 $rss_feed .= '<channel><title>Pandora RSS Feed</title><description>Latest events on Pandora</description>';
 $rss_feed .= '<lastBuildDate>'.date (DATE_RFC822, $lastbuild).'</lastBuildDate>'; //Last build date is the last event - that way readers won't mark it as having new posts
 $rss_feed .= '<link>'.$url.'</link>'; //Link back to the main Pandora page
-$rss_feed .= '<atom:link href="'.htmlentities ($selfurl).'" rel="self" type="application/rss+xml" />'; //Alternative for Atom feeds. It's the same.
+$rss_feed .= '<atom:link href="'.safe_input ($selfurl).'" rel="self" type="application/rss+xml" />'; //Alternative for Atom feeds. It's the same.
 
 if (empty ($result)) {
 	$result = array();
-	$rss_feed .= '<item><guid>'.$url.'/index.php?sec=eventos&sec2=operation/events/events</guid><title>No results</title>';
+	$rss_feed .= '<item><guid>'.safe_input ($url.'/index.php?sec=eventos&sec2=operation/events/events').'</guid><title>No results</title>';
 	$rss_feed .= '<description>There are no results. Click on the link to see all Pending events</description>';
-	$rss_feed .= '<link>'.$url.'/index.php?sec=eventos&sec2=operation/events/events</link></item>';
+	$rss_feed .= '<link>'.safe_input ($url.'/index.php?sec=eventos&sec2=operation/events/events').'</link></item>';
 }
 
 foreach ($result as $row) {
 //This is mandatory
 	$rss_feed .= '<item><guid>';
-	$rss_feed .= htmlentities ($url . "/index.php?sec=eventos&sec2=operation/events/events&id_event=" . $row['event_id']);
+	$rss_feed .= safe_input ($url . "/index.php?sec=eventos&sec2=operation/events/events&id_event=" . $row['event_id']);
 	$rss_feed .= '</guid><title>';
-	$rss_feed .= htmlentities ($row['agent_name']);
+	$rss_feed .= safe_output_xml ($row['agent_name']);
 	$rss_feed .= '</title><description>';
-	$rss_feed .= htmlentities ($row['event_descr']);
+	$rss_feed .= safe_output_xml ($row['event_descr']);
 	if($row['validated'] == 1) {
-		$rss_feed .= '<br /><br />Validated by ' . $row['validated_by'];
+		$rss_feed .= '<br /><br />Validated by ' . safe_output_xml ($row['validated_by']);
 	}
 	$rss_feed .= '</description><link>';
-	$rss_feed .= htmlentities ($url . "/index.php?sec=eventos&sec2=operation/events/events&id_event=" . $row["event_id"]);
+	$rss_feed .= safe_input ($url . "/index.php?sec=eventos&sec2=operation/events/events&id_event=" . $row["event_id"]);
 	$rss_feed .= '</link>';
 
 //The rest is optional