Commit 2ad687ca authored by Benjamin Sonntag's avatar Benjamin Sonntag
Browse files

replacing echoes and urlencode by ehe() in VALUES of forms text input fields...

replacing echoes and urlencode by ehe() in VALUES of forms text input fields (prevent UTF/ISO and ENTITIES hacking)
parent fa67c7f5
......@@ -54,15 +54,15 @@ if ($error) {
<form method="post" action="adm_doadd.php" id="main" name="main">
<table class="tedit">
<tr><th><label for="login"><?php __("Username"); ?></label></th><td>
<input type="text" class="int" name="login" id="login" value="<?php echo $login; ?>" size="20" maxlength="16" />
<input type="text" class="int" name="login" id="login" value="<?php ehe($login); ?>" size="20" maxlength="16" />
</td></tr>
<tr>
<th><label for="pass"><?php __("Initial password"); ?></label></th>
<td><input type="password" id="pass" name="pass" class="int" value="<?php echo $pass; ?>" size="20" maxlength="64" /></td>
<td><input type="password" id="pass" name="pass" class="int" value="<?php ehe($pass); ?>" size="20" maxlength="64" /></td>
</tr>
<tr>
<th><label for="passconf"><?php __("Confirm password"); ?></label></th>
<td><input type="password" id="passconf" name="passconf" class="int" value="<?php echo $passconf; ?>" size="20" maxlength="64" /></td>
<td><input type="password" id="passconf" name="passconf" class="int" value="<?php ehe($passconf); ?>" size="20" maxlength="64" /></td>
</tr>
<tr>
<th><label for="canpass"><?php __("Can he change its password"); ?></label></th>
......@@ -77,11 +77,11 @@ if ($error) {
</tr>
<tr>
<th><label for="nom"><?php echo _("Surname")."</label> / <label for=\"prenom\">"._("First Name"); ?></label></th>
<td><input class="int" type="text" id="nom" name="nom" value="<?php echo $nom; ?>" size="20" maxlength="128" />&nbsp;/&nbsp;<input type="text" name="prenom" id="prenom" value="<?php echo $prenom; ?>" class="int" size="20" maxlength="128" /></td>
<td><input class="int" type="text" id="nom" name="nom" value="<?php ehe($nom); ?>" size="20" maxlength="128" />&nbsp;/&nbsp;<input type="text" name="prenom" id="prenom" value="<?php ehe($prenom); ?>" class="int" size="20" maxlength="128" /></td>
</tr>
<tr>
<th><label for="nmail"><?php __("Email address"); ?></label></th>
<td><input type="text" name="nmail" id="nmail" class="int" value="<?php echo $nmail; ?>" size="30" maxlength="128" /></td>
<td><input type="text" name="nmail" id="nmail" class="int" value="<?php ehe($nmail); ?>" size="30" maxlength="128" /></td>
</tr>
<tr>
<th><label for="type"><?php __("Account type"); ?></label></th>
......
......@@ -95,7 +95,7 @@ foreach($q as $name => $value) {
<tr class="lst<?php echo $col; ?>">
<td><label for="<?php echo $key; ?>"><?php echo $qarray[$name]; ?></label></td>
<td><input type="text" class="int" size="16" maxlength="16" name="<?php echo $key; ?>" id="<?php echo $name; ?>" value="<?php echo $value; ?>" /></td></tr>
<td><input type="text" class="int" size="16" maxlength="16" name="<?php echo $key; ?>" id="<?php echo $name; ?>" value="<?php ehe($value); ?>" /></td></tr>
<?php
}
?>
......
......@@ -41,7 +41,9 @@ getFields($fields);
if (!$admin->su2normal($uid)) {
$error=$err->errstr();
}
} else {
$error=_("This account is now a normal account");
}
include("adm_edit.php");
......
......@@ -41,7 +41,9 @@ getFields($fields);
if (!$admin->normal2su($uid)) {
$error=$err->errstr();
}
} else {
$error=_("This account is now an administrator account");
}
include("adm_edit.php");
......
......@@ -55,6 +55,8 @@ if (!$r=$admin->get($uid)) {
?>
<h3><?php __("Member Edition"); ?></h3>
<hr id="topbar"/>
<br />
<?php
if ($error) {
echo "<p class=\"error\">$error</p>";
......@@ -96,15 +98,15 @@ if (!$r=$admin->get($uid)) {
</tr>
<tr>
<th><label for="notes"><?php __("Notes"); ?></label></th>
<td><textarea name="notes" id="notes" class="int" cols="32" rows="5"><?php echo $r['notes']; ?></textarea></td>
<td><textarea name="notes" id="notes" class="int" cols="32" rows="5"><?php ehe($r['notes']); ?></textarea></td>
</tr>
<tr>
<th><label for="nom"><?php echo _("Surname")."</label> / <label for=\"prenom\">"._("First Name"); ?></label></th>
<td><input type="text" class="int" name="nom" id="nom" value="<?php echo $r["nom"]; ?>" size="20" maxlength="128" />&nbsp;/&nbsp;<input type="text" class="int" name="prenom" id="prenom" value="<?php echo $r["prenom"]; ?>" size="20" maxlength="128" /></td>
<td><input type="text" class="int" name="nom" id="nom" value="<?php ehe($r["nom"]); ?>" size="20" maxlength="128" />&nbsp;/&nbsp;<input type="text" class="int" name="prenom" id="prenom" value="<?php ehe($r["prenom"]); ?>" size="20" maxlength="128" /></td>
</tr>
<tr>
<th><label for="nmail"><?php __("Email address"); ?></label></th>
<td><input type="text" class="int" name="nmail" id="nmail" value="<?php echo $r["mail"]; ?>" size="30" maxlength="128" /></td>
<td><input type="text" class="int" name="nmail" id="nmail" value="<?php ehe($r["mail"]); ?>" size="30" maxlength="128" /></td>
</tr>
<tr>
<th><label for="type"><?php __("Account type"); ?></label></th>
......@@ -169,8 +171,9 @@ if ($r["su"]) {
<p><?php
}
$c=$admin->get($r["creator"]);
printf(_("Account created by %s"),$c["login"]);
if ($c=$admin->get($r["creator"])) {
printf(_("Account created by %s"),$c["login"]);
}
?>
</p>
<script type="text/javascript">
......
......@@ -64,6 +64,8 @@ $r=$admin->get_list($show == 'all' ? 1 : 0, $creator);
?>
<h3><?php __("AlternC account list"); ?></h3>
<hr id="topbar"/>
<br />
<?php
if ($error) {
echo "<p class=\"error\">$error</p>";
......
......@@ -98,8 +98,8 @@ for($i=0;$i<count($c);$i++) {
<table border="0" cellpadding="4" cellspacing="0">
<tr><th><label for="newlogin"><?php __("Login"); ?></label></th><th><label for="newpass"><?php __("Password"); ?></label></th></tr>
<tr>
<td><input type="text" class="int" value="<?php echo urlencode($newlogin); ?>" id="newlogin" name="newlogin" maxlength="64" size="32" /> / </td>
<td><input type="password" class="int" value="<?php echo urlencode($newpass); ?>" id="newpass" name="newpass" maxlength="64" size="32" /></td>
<td><input type="text" class="int" value="<?php ehe($newlogin); ?>" id="newlogin" name="newlogin" maxlength="64" size="32" /> / </td>
<td><input type="password" class="int" value="<?php ehe($newpass); ?>" id="newpass" name="newpass" maxlength="64" size="32" /></td>
</tr>
<tr><td colspan="2">
<input type="submit" value="<?php __("Add this account to the allowed list"); ?>" class="inb" />
......
......@@ -38,6 +38,8 @@ include_once("head.php");
?>
<h3><?php __("Admin Control Panel"); ?></h3>
<hr id="topbar"/>
<br />
<?php
if ($error) {
echo "<p class=\"error\">$error</p>";
......
......@@ -53,6 +53,8 @@ $mem->unsu();
?>
<h3><?php __("Editing the quotas of a member"); ?></h3>
<hr id="topbar"/>
<br />
<?php
if ($error) {
echo "<p class=\"error\">$error</p>";
......
......@@ -97,8 +97,8 @@ for($i=0;$i<count($c);$i++) {
<table border="0" cellpadding="4" cellspacing="0">
<tr><th><label for="newlogin"><?php __("Login"); ?></label></th><th><label for="newpass"><?php __("Password"); ?></label></th></tr>
<tr>
<td><input type="text" class="int" value="<?php echo urlencode($newlogin); ?>" id="newlogin" name="newlogin" maxlength="64" size="32" /> / </td>
<td><input type="password" class="int" value="<?php echo urlencode($newpass); ?>" id="newpass" name="newpass" maxlength="64" size="32" /></td>
<td><input type="text" class="int" value="<?php ehe($newlogin); ?>" id="newlogin" name="newlogin" maxlength="64" size="32" /> / </td>
<td><input type="password" class="int" value="<?php ehe($newpass); ?>" id="newpass" name="newpass" maxlength="64" size="32" /></td>
</tr>
<tr><td colspan="2">
<input type="submit" value="<?php __("Add this account to the allowed list"); ?>" class="inb" />
......
......@@ -96,7 +96,7 @@ for($i=0;$i<count($c);$i++) {
<table border="0" cellpadding="4" cellspacing="0">
<tr><th><label for="newip"><?php __("IP Address"); ?></label></th><th><label for="newclass"><?php __("Prefix"); ?></label></th></tr>
<tr>
<td style="text-align: right"><input type="text" class="int" value="<?php echo urlencode($newip); ?>" id="newip" name="newip" maxlength="15" size="20" style="text-align:right" /> / </td>
<td style="text-align: right"><input type="text" class="int" value="<?php ehe(newip); ?>" id="newip" name="newip" maxlength="15" size="20" style="text-align:right" /> / </td>
<td><input type="text" class="int" value="<?php echo urlencode($newclass); ?>" id="newclass" name="newclass" maxlength="2" size="3" /></td>
</tr>
<tr><td colspan="2">
......
......@@ -54,7 +54,7 @@ include_once ("head.php");
<form method="post" action="adm_tlddoadd.php">
<table border="0" cellpadding="4" cellspacing="0">
<tr><th><label for="tld"><?php __("TLD"); ?></label></th><td><input type="text" id="tld" name="tld" class="int" value="<?php echo $tld; ?>" size="20" maxlength="64" /></td></tr>
<tr><th><label for="tld"><?php __("TLD"); ?></label></th><td><input type="text" id="tld" name="tld" class="int" value="<?php ehe($tld); ?>" size="20" maxlength="64" /></td></tr>
<tr><th><label for="mode"><?php __("Allowed Mode"); ?></label></th><td><select name="mode" id="mode" class="inl">
<?php $admin->selecttldmode($mode); ?>
</select></td></tr>
......
......@@ -64,7 +64,7 @@ while ($db->next_record()) {
<tr class="lst<?php echo $col; ?>">
<td><?php echo $vars['name']; ?></td>
<td><input type="text" name="<?php echo $vars['name']?>" value="<?php echo $vars['value']?>" /></td>
<td><input type="text" name="<?php ehe($vars['name']); ?>" value="<?php ehe($vars['value']); ?>" /></td>
<td><?php echo $vars['comment']; ?></td>
</tr>
<? } ?>
......
......@@ -164,7 +164,7 @@ if ($c===false) $error=$err->errstr();
<form action="bro_main.php" method="post" name="nn" id="nn">
<input type="hidden" name="R" value="<?php echo $R; ?>" />
<table><tr>
<td><input type="text" class="int" name="nomfich" size="22" maxlength="255" /></td>
<td><input type="text" class="int" name="nomfich" id="nomfich" size="22" maxlength="255" /></td>
<td><input type="submit" class="ina" value="<?php __("Create"); ?>" /></td>
</tr><tr><td>
<input type="radio" class="inc" id="nfile" onclick="document.nn.nomfich.focus();" name="formu" value="6" <?php if (!$p["crff"]) echo "checked=\"checked\""; ?> /><label for="nfile">&nbsp;<?php __("File"); ?></label>
......
......@@ -130,7 +130,7 @@ if ($errbrowsefold) {
<input type="hidden" name="caller" value="<?php echo $caller; ?>" />
<input type="hidden" name="lastcurdir" value="<?php echo $curdir; ?>" />
<input type="text" class="int" name="file" size="20" value="<?php echo $file ?>" /><br />
<input type="text" class="int" name="file" size="20" value="<?php ehe($file); ?>" /><br />
<input type="submit" name="select" value="<?php __("Select"); ?>" class="inb" />&nbsp;
<input type="button" name="cancel" value="<?php __("Cancel"); ?>" class="inb" onclick="window.close();" />&nbsp;
......
......@@ -52,17 +52,17 @@ if (!$quota->cancreate("ftp")) {
<table>
<tr><th><input type="hidden" name="id" value="<?php echo $id ?>" />
<label for="login"><?php __("Username"); ?></label></th><td>
<select class="inl" name="prefixe"><?php $ftp->select_prefix_list($prefixe); ?></select>&nbsp;<b>_</b>&nbsp;<input type="text" class="int" name="login" id="login" value="<?php echo $login; ?>" size="20" maxlength="64" />
<select class="inl" name="prefixe"><?php $ftp->select_prefix_list($prefixe); ?></select>&nbsp;<b>_</b>&nbsp;<input type="text" class="int" name="login" id="login" value="<?php ehe($login); ?>" size="20" maxlength="64" />
</td></tr>
<tr><th><label for="dir"><?php __("Folder"); ?></label></th><td><input type="text" class="int" name="dir" id="dir" value="<?php echo $dir; ?>" size="20" maxlength="255" />
<tr><th><label for="dir"><?php __("Folder"); ?></label></th><td><input type="text" class="int" name="dir" id="dir" value="<?php ehe($dir); ?>" size="20" maxlength="255" />
<script type="text/javascript">
<!--
document.write("&nbsp;<input type=\"button\" name=\"bff\" onclick=\"browseforfolder('main.dir');\" value=\" <?php __("Choose a folder..."); ?> \" class=\"bff\">");
// -->
</script>
</td></tr>
<tr><th><label for="pass"><?php __("Password"); ?></label></th><td><input type="password" class="int" name="pass" id="pass" value="<?php echo $pass; ?>" size="20" maxlength="64" /></td></tr>
<tr><th><label for="passconf"><?php __("Confirm password"); ?></label></th><td><input type="password" class="int" name="passconf" id="passconf" value="<?php echo $passconf; ?>" size="20" maxlength="64" /></td></tr>
<tr><th><label for="pass"><?php __("Password"); ?></label></th><td><input type="password" class="int" name="pass" id="pass" value="<?php ehe($pass); ?>" size="20" maxlength="64" /></td></tr>
<tr><th><label for="passconf"><?php __("Confirm password"); ?></label></th><td><input type="password" class="int" name="passconf" id="passconf" value="<?php ehe($passconf); ?>" size="20" maxlength="64" /></td></tr>
<tr class="trbtn"><td colspan="2">
<input type="submit" class="inb" name="submit" value="<?php __("Create this new FTP account."); ?>" />
<input type="button" class="inb" name="cancel" value="<?php __("Cancel"); ?>" onclick="document.location='ftp_list.php'"/>
......
......@@ -57,9 +57,9 @@ if (!$id) {
<table border="1" cellspacing="0" cellpadding="4">
<tr><th><input type="hidden" name="id" value="<?php echo $id ?>" />
<label for="login"><?php __("Username"); ?></label></th><td>
<select class="inl" name="prefixe"><?php $ftp->select_prefix_list($r["prefixe"]); ?></select>&nbsp;<b>_</b>&nbsp;<input type="text" class="int" name="login" id="login" value="<?php echo $r["login"]; ?>" size="20" maxlength="64" />
<select class="inl" name="prefixe"><?php $ftp->select_prefix_list($r["prefixe"]); ?></select>&nbsp;<b>_</b>&nbsp;<input type="text" class="int" name="login" id="login" value="<?php ehe($r["login"]); ?>" size="20" maxlength="64" />
</td></tr>
<tr><th><label for="dir"><?php __("Folder"); ?></label></th><td><input type="text" class="int" name="dir" id="dir" value="<?php echo $r["dir"]; ?>" size="20" maxlength="64" />
<tr><th><label for="dir"><?php __("Folder"); ?></label></th><td><input type="text" class="int" name="dir" id="dir" value="<?php ehe($r["dir"]); ?>" size="20" maxlength="64" />
<script type="text/javascript">
<!--
......
......@@ -48,7 +48,7 @@ include_once("head.php");
<table border="1" cellspacing="0" cellpadding="4">
<tr>
<td><label for="dir"><?php __("Folder"); ?></label></td>
<td><input type="text" class="int" name="dir" id="dir" value="<?php echo $value ?>" maxlength="255" />
<td><input type="text" class="int" name="dir" id="dir" value="<?php ehe($dir); ?>" maxlength="255" />
<script type="text/javascript">
<!--
document.write("&nbsp;<input type=\"button\" name=\"bff\" onclick=\"browseforfolder('main.dir');\" value=\" <?php __("Choose a folder..."); ?> \" class=\"bff\">");
......
......@@ -46,12 +46,12 @@ getFields($fields);
<form method="post" action="hta_doadduser.php" name="main" id="main">
<table border="1" cellspacing="0" cellpadding="4">
<tr>
<td><input type="hidden" name="dir" value="<?php echo $dir ?>" /><?php __("Folder"); ?></td>
<td><input type="hidden" name="dir" value="<?php ehe($dir); ?>" /><?php __("Folder"); ?></td>
<td><code><?php echo $dir; ?></code></td>
</tr>
<tr>
<td><label for="user"><?php __("Username"); ?></label></td>
<td><input type="text" class="int" name="user" id="user" value="" size="20" maxlength="64" /></td>
<td><input type="text" class="int" name="user" id="user" value="<?php ehe($user); ?>" size="20" maxlength="64" /></td>
</tr>
<tr>
<td><label for="password"><?php __("Password"); ?></label></td>
......
......@@ -30,6 +30,11 @@
require_once("../class/config.php");
$fields = array (
"dir" => array ("request", "string", ""),
);
getFields($fields);
if(!$hta->CreateDir($dir)) {
$error=$err->errstr();
include("hta_add.php");
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment