Fixes for folder names containing '
authorJean-Michel Vourgère <jvourger@greenpeace.org>
Sat, 25 Feb 2017 22:21:02 +0000 (11:21 +1300)
committerJean-Michel Vourgère <jvourger@greenpeace.org>
Thu, 9 Mar 2017 18:06:30 +0000 (18:06 +0000)
squasher.class.php

index 1427e405372d7ac03302be7efab91e7af3fbafc1..a699f4c8e8dd1f495e7fb035f34c29015f810a0c 100644 (file)
@@ -241,7 +241,8 @@ function get_rights($user_id) {
 
                        //create folder structure array
                        foreach ($folder_arr AS $key => $value) {
-                               $arr_string .= "['".$value."']";
+                               $value_escaped = str_replace("'", "\\'", $value);
+                               $arr_string .= "['".$value_escaped."']";
                        }
                }
                $arr_string .= "['__access__']";
@@ -329,10 +330,11 @@ function show_rights_tree($path, $depth=0, $userid=0) {
                                                $style[$depth] = ".depth".$depth."{float:right;width:".(600-($depth*10))."px;border-left:2px solid #FFFFFF;border-top:1px solid #FFFFFF;background:#".dechex(14-$depth).dechex(14-$depth).dechex(14-$depth).dechex(14-$depth).dechex(14-$depth).dechex(14-$depth).";}";
                                        if ($f==1)
                                                $layout .= "<div class='depth".$depth."'>";
-                                       $layout .= "<div class='white_border' >".$file."</div>\n";
-                                       $layout .= "<div class='check_deny'><input name='m[".$name."]' value=0 type=radio ".$check_deny."></div>\n";
-                                       $layout .= "<div class='check_allow'><input name='m[".$name."]' value=1 type=radio ".$check_allow."></div>\n";
-                                       $layout .= "<div class='check_all'><input name='m[".$name."]' value=2 type=radio ".$check_all."></div>\n";
+                                       $layout .= "<div class='white_border' >".htmlspecialchars($file)."</div>\n";
+                                       $name_escaped = htmlspecialchars($name);
+                                       $layout .= '<div class="check_deny"><input name="m['.$name_escaped.']" value=0 type=radio '.$check_deny."></div>\n";
+                                       $layout .= '<div class="check_allow"><input name="m['.$name_escaped.']" value=1 type=radio '.$check_allow."></div>\n";
+                                       $layout .= '<div class="check_all"><input name="m['.$name_escaped.']" value=2 type=radio '.$check_all."></div>\n";
                                        $sub_return = $this->show_rights_tree($filename,$depth+1,$userid);
                                        if (is_array($style) && is_array($sub_return['style']))
                                                $style = $style + $sub_return['style'];