From 71b4d2e55f5fb8a5e3c1935336f37f9957cd5f45 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Tue, 22 Jan 2008 10:20:05 +0000
Subject: [PATCH] Added htmlspecialchars to most template output and to some
text which is passed to the templates.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@179 44740490-163a-0410-bde0-09ae8108e29a
---
templates/default/en/admin-metadatalist.php | 14 +++++++-------
templates/default/en/consent.php | 10 +++++-----
templates/default/en/frontpage.php | 2 +-
templates/default/en/login-ldapmulti.php | 8 ++++----
templates/default/en/login.php | 2 +-
templates/default/en/metadata.php | 6 +++---
templates/default/en/openid-about.php | 8 ++++----
templates/default/en/openid-sites.php | 2 +-
templates/default/en/openid-trust.php | 2 +-
templates/default/en/post-debug.php | 6 +++---
templates/default/en/selectidp-dropdown.php | 10 +++++-----
templates/default/en/selectidp-links.php | 6 +++---
www/openid/provider/server.php | 4 ++--
13 files changed, 40 insertions(+), 40 deletions(-)
diff --git a/templates/default/en/admin-metadatalist.php b/templates/default/en/admin-metadatalist.php
index 9dec31ca1..3c2043dea 100644
--- a/templates/default/en/admin-metadatalist.php
+++ b/templates/default/en/admin-metadatalist.php
@@ -26,22 +26,22 @@
//print_r($entity);
- echo '<h4>' . $name . '</h4>';
+ echo '<h4>' . htmlspecialchars($name) . '</h4>';
if (isset($entity['optional.found']['description'])) {
- echo '<p>' . $entity['optional.found']['description'] . '</p>';
+ echo '<p>' . htmlspecialchars($entity['optional.found']['description']) . '</p>';
}
echo '<p>Required fields</p>';
echo '<table style="width: 100%; border: 1px solid #eee"><tr><th>Key</th><th>Value</th></tr>';
foreach ($entity['required.found'] AS $key => $value) {
- echo '<tr><td>' . $key . '</td><td>' . $value . '</td></tr>';
+ echo '<tr><td>' . htmlspecialchars($key) . '</td><td>' . htmlspecialchars($value) . '</td></tr>';
}
echo '</table>';
if (count($entity['required.notfound']) > 0) {
echo '<p>The following required fields was not found:<ul>';
foreach ($entity['required.notfound'] AS $key) {
- echo '<li>' . $key . '</li>';
+ echo '<li>' . htmlspecialchars($key) . '</li>';
}
echo '</ul>';
}
@@ -50,7 +50,7 @@
echo '<p>Optional fields</p>';
echo '<table><tr><th>Key</th><th>Value</th></tr>';
foreach ($entity['optional.found'] AS $key => $value) {
- echo '<tr><td>' . $key . '</td><td>' . $value . '</td></tr>';
+ echo '<tr><td>' . htmlspecialchars($key) . '</td><td>' . htmlspecialchars($value) . '</td></tr>';
}
echo '</table>';
}
@@ -58,7 +58,7 @@
if (count($entity['optional.notfound']) > 0) {
echo '<p>The following optional fields was not found:<ul>';
foreach ($entity['optional.notfound'] AS $key) {
- echo '<li>' . $key . '</li>';
+ echo '<li>' . htmlspecialchars($key) . '</li>';
}
echo '</ul>';
}
@@ -66,7 +66,7 @@
if (count($entity['leftovers']) > 0) {
echo '<p>The following fields was not reckognized:<ul>';
foreach ($entity['leftovers'] AS $key => $value) {
- echo '<li>' . $key . '</li>';
+ echo '<li>' . htmlspecialchars($key) . '</li>';
}
echo '</ul>';
}
diff --git a/templates/default/en/consent.php b/templates/default/en/consent.php
index cf375d53f..ec71aaa56 100644
--- a/templates/default/en/consent.php
+++ b/templates/default/en/consent.php
@@ -7,9 +7,9 @@
<div id="content">
- <p>You are about to login to the service <strong><?php echo $data['spentityid']; ?></strong>. In the login proccess, the identity provider will send attributes containing information about your identity to this service. Do you accept this?</p>
+ <p>You are about to login to the service <strong><?php echo htmlspecialchars($data['spentityid']); ?></strong>. In the login proccess, the identity provider will send attributes containing information about your identity to this service. Do you accept this?</p>
- <p><a href="<?php echo $data['consenturl']; ?>"><strong>Yes</strong>, I accept that attributes are sent to this service</a></p>
+ <p><a href="<?php echo htmlspecialchars($data['consenturl']); ?>"><strong>Yes</strong>, I accept that attributes are sent to this service</a></p>
<p style="font-size: x-small">[ <a href="">Show attributes that are sent</a> ]</p>
<table style="font-size: x-small">
@@ -19,13 +19,13 @@
$attributes = $data['attributes'];
foreach ($attributes AS $name => $value) {
if (sizeof($value) > 1) {
- echo '<tr><td>' . $name . '</td><td><ul>';
+ echo '<tr><td>' . htmlspecialchars($name) . '</td><td><ul>';
foreach ($value AS $v) {
- echo '<li>' . $v . '</li>';
+ echo '<li>' . htmlspecialchars($v) . '</li>';
}
echo '</ul></td></tr>';
} else {
- echo '<tr><td>' . $name . '</td><td>' . $value[0] . '</td></tr>';
+ echo '<tr><td>' . htmlspecialchars($name) . '</td><td>' . htmlspecialchars($value[0]) . '</td></tr>';
}
}
diff --git a/templates/default/en/frontpage.php b/templates/default/en/frontpage.php
index c428c9f22..ae757d2ea 100644
--- a/templates/default/en/frontpage.php
+++ b/templates/default/en/frontpage.php
@@ -16,7 +16,7 @@
<?php
foreach ($data['links'] AS $link) {
- echo '<li><a href="' . $link['href'] . '">' . $link['text'] . '</a></li>';
+ echo '<li><a href="' . htmlspecialchars($link['href']) . '">' . htmlspecialchars($link['text']) . '</a></li>';
}
?>
<!-- li><a href="saml2/sp/metadata.php">Look at your SAML 2.0 SP metadata</a> - you can send this metadata document to your IdP.</a></li>
diff --git a/templates/default/en/login-ldapmulti.php b/templates/default/en/login-ldapmulti.php
index 426ff0b2b..9f3d4cdfc 100644
--- a/templates/default/en/login-ldapmulti.php
+++ b/templates/default/en/login-ldapmulti.php
@@ -12,7 +12,7 @@
<img src="/<?php echo $data['baseurlpath']; ?>resources/icons/bomb.png" style="float: left; margin: 15px " />
<h2>What you entered was not accepted!</h2>
- <p><?php echo $data['error']; ?> </p>
+ <p><?php echo htmlspecialchars($data['error']); ?> </p>
</div>
<?php } ?>
@@ -30,13 +30,13 @@
<td style="padding: .3em;">Username</td>
<td><input type="text" tabindex="1" name="username"
<?php if (isset($data['username'])) {
- echo 'value="' . $data['username'] . '"';
+ echo 'value="' . htmlspecialchars($data['username']) . '"';
} ?> /></td>
<td style="padding: .4em;" rowspan="3">
<input type="submit" tabindex="3" value="Login" />
- <input type="hidden" name="RelayState" value="<?php echo $data['relaystate']; ?>" />
+ <input type="hidden" name="RelayState" value="<?php echo htmlspecialchars($data['relaystate']); ?>" />
</td>
</tr>
@@ -48,7 +48,7 @@
foreach ($data['ldapconfig'] AS $key => $entry) {
echo '<option ' .
($key == $data['org'] ? 'selected="selected" ' : '')
- . 'value="' . $key . '">' . $entry['description'] . '</option>';
+ . 'value="' . htmlspecialchars($key) . '">' . htmlspecialchars($entry['description']) . '</option>';
}
?>
diff --git a/templates/default/en/login.php b/templates/default/en/login.php
index 852383482..a4389e772 100644
--- a/templates/default/en/login.php
+++ b/templates/default/en/login.php
@@ -12,7 +12,7 @@
<img src="/<?php echo $data['baseurlpath']; ?>resources/icons/bomb.png" style="float: left; margin: 15px " />
<h2>What you entered was not accepted!</h2>
- <p><?php echo $data['error']; ?> </p>
+ <p><?php echo htmlspecialchars($data['error']); ?> </p>
</div>
<?php } ?>
diff --git a/templates/default/en/metadata.php b/templates/default/en/metadata.php
index 3dd5a8e2c..e237f27f3 100644
--- a/templates/default/en/metadata.php
+++ b/templates/default/en/metadata.php
@@ -12,8 +12,8 @@
<p>Here is SAML 2.0 metadata that simpleSAMLphp has generated for you. You may send this SAML 2.0 Metadata document to trusted partners to setup a trusted federation.</p>
<?php if (isset($data['metaurl'])) { ?>
- <p>You can <a href="<?php echo $data['metaurl']; ?>">get the metadata xml on a dedicated URL</a>:<br />
- <input type="text" style="width: 90%" value="<?php echo $data['metaurl']; ?>" /></p>
+ <p>You can <a href="<?php echo htmlspecialchars($data['metaurl']); ?>">get the metadata xml on a dedicated URL</a>:<br />
+ <input type="text" style="width: 90%" value="<?php echo htmlspecialchars($data['metaurl']); ?>" /></p>
<?php } ?>
<h2>Metadata</h2>
@@ -42,7 +42,7 @@
</p>
<input type="hidden" name="metadata" value="<?php echo urlencode(base64_encode($data['metadata'])); ?>" />
- <input type="hidden" name="defaultidp" value="<?php echo $data['defaultidp']; ?>" />
+ <input type="hidden" name="defaultidp" value="<?php echo htmlspecialchars($data['defaultidp']); ?>" />
<input type="submit" name="send" value="Send my metadata to Feide" />
</form>
diff --git a/templates/default/en/openid-about.php b/templates/default/en/openid-about.php
index f72fc2b88..52e97dfc9 100644
--- a/templates/default/en/openid-about.php
+++ b/templates/default/en/openid-about.php
@@ -21,8 +21,8 @@
Insert the following markup into the <code><head></code> of the HTML
document at that URL:
</p>
-<pre><link rel="openid.server" href="<?php echo $data['openidserver']; ?>" />
-<link rel="openid.delegation" href="<?php echo $data['openiddelegation']; ?>" />
+<pre><link rel="openid.server" href="<?php echo htmlspecialchars($data['openidserver']); ?>" />
+<link rel="openid.delegation" href="<?php echo htmlspecialchars($data['openiddelegation']); ?>" />
</pre>
@@ -30,9 +30,9 @@
<p><?php
if (isset($data['userid'])) {
- echo 'You are now logged in as ' . $data['userid'];
+ echo 'You are now logged in as ' . htmlspecialchars($data['userid']);
} else {
- echo '<a href="' . $data['initssourl'] . '">Login</a>';
+ echo '<a href="' . htmlspecialchars($data['initssourl']) . '">Login</a>';
}
?>
diff --git a/templates/default/en/openid-sites.php b/templates/default/en/openid-sites.php
index 024d9e7a8..1040218b4 100644
--- a/templates/default/en/openid-sites.php
+++ b/templates/default/en/openid-sites.php
@@ -40,7 +40,7 @@
'Untrusted Sites' => $untrusted_sites) as
$name => $sites) {
if ($sites) {
- echo '<tr><th colspan="2">'. $name . '</th></tr>';
+ echo '<tr><th colspan="2">'. htmlspecialchars($name) . '</th></tr>';
foreach ($sites as $site) {
$siteid = 'site' . $i;
echo '<tr>
diff --git a/templates/default/en/openid-trust.php b/templates/default/en/openid-trust.php
index 2e1266f8d..3b05e3a10 100644
--- a/templates/default/en/openid-trust.php
+++ b/templates/default/en/openid-trust.php
@@ -14,7 +14,7 @@
<a href="/<?php echo $data['baseurlpath']; ?>/openid/provider/server.php/about">About simpleSAMLphp OpenID</a> ]</p>
<div class="form">
- <p>Do you wish to confirm your identity URL (<code><?php echo $data['openidurl']; ?></code>)
+ <p>Do you wish to confirm your identity URL (<code><?php echo htmlspecialchars($data['openidurl']); ?></code>)
with <code><?php echo $data['siteurl']; ?></code>?</p>
<form method="post" action="<?php echo $data['trusturl']; ?>">
<input type="checkbox" name="remember" value="on" id="remember"><label
diff --git a/templates/default/en/post-debug.php b/templates/default/en/post-debug.php
index a9a20e2ef..041422474 100644
--- a/templates/default/en/post-debug.php
+++ b/templates/default/en/post-debug.php
@@ -13,9 +13,9 @@
<p>You are about to send a SAML response back to the service. Hit the send response button to continue.</p>
- <form method="post" action="<?php echo $data['destination']; ?>">
- <input type="hidden" name="SAMLResponse" value="<?php echo $data['response']; ?>" />
- <input type="hidden" name="<?php echo $data['RelayStateName']; ?>" value="<?php echo $data['RelayState']; ?>">
+ <form method="post" action="<?php echo htmlspecialchars($data['destination']); ?>">
+ <input type="hidden" name="SAMLResponse" value="<?php echo htmlspecialchars($data['response']); ?>" />
+ <input type="hidden" name="<?php echo htmlspecialchars($data['RelayStateName']); ?>" value="<?php echo htmlspecialchars($data['RelayState']); ?>">
<input type="submit" value="Submit the response to the service" />
</form>
diff --git a/templates/default/en/selectidp-dropdown.php b/templates/default/en/selectidp-dropdown.php
index 9aba6e2b7..c34af28f7 100644
--- a/templates/default/en/selectidp-dropdown.php
+++ b/templates/default/en/selectidp-dropdown.php
@@ -12,17 +12,17 @@
<p>Please select the identity provider where you want to authenticate:</p>
<form method="get" action="<?php echo $data['urlpattern']; ?>">
- <input type="hidden" name="entityID" value="<?php echo $data['entityID']; ?>" />
- <input type="hidden" name="return" value="<?php echo $data['return']; ?>" />
- <input type="hidden" name="returnIDParam" value="<?php echo $data['returnIDParam']; ?>" />
+ <input type="hidden" name="entityID" value="<?php echo htmlspecialchars($data['entityID']); ?>" />
+ <input type="hidden" name="return" value="<?php echo htmlspecialchars($data['return']); ?>" />
+ <input type="hidden" name="returnIDParam" value="<?php echo htmlspecialchars($data['returnIDParam']); ?>" />
<select name="idpentityid">
<?php
foreach ($data['idplist'] AS $idpentry) {
- echo '<option value="'.$idpentry['entityid'].'"';
+ echo '<option value="'.htmlspecialchars($idpentry['entityid']).'"';
if ($idpentry['entityid'] == $data['preferedidp']) echo ' selected="selected"';
- echo '>'.$idpentry['name'].'</option>';
+ echo '>'.htmlspecialchars($idpentry['name']).'</option>';
}
?>
diff --git a/templates/default/en/selectidp-links.php b/templates/default/en/selectidp-links.php
index e75bf6664..a8e2b5bcd 100644
--- a/templates/default/en/selectidp-links.php
+++ b/templates/default/en/selectidp-links.php
@@ -16,9 +16,9 @@
foreach ($data['idplist'] AS $idpentry) {
- echo '<h3>' . $idpentry['name'] . '</h3>';
- echo '<p>' . $idpentry['description'] . '<br />';
- echo '[ <a href="' . $data['urlpattern'] . $idpentry['entityid'] . '">Select this IdP</a>]</p>';
+ echo '<h3>' . htmlspecialchars($idpentry['name']) . '</h3>';
+ echo '<p>' . htmlspecialchars($idpentry['description']) . '<br />';
+ echo '[ <a href="' . $data['urlpattern'] . htmlspecialchars($idpentry['entityid']) . '">Select this IdP</a>]</p>';
}
diff --git a/www/openid/provider/server.php b/www/openid/provider/server.php
index 9d4f7a753..f9677fdbb 100644
--- a/www/openid/provider/server.php
+++ b/www/openid/provider/server.php
@@ -593,8 +593,8 @@ function doAuth($info, $trusted=null, $fail_cancels=false)
$t = new SimpleSAML_XHTML_Template($config, 'error.php');
$t->data['header'] = 'OpenID identity mismatch';
- $t->data['message'] = 'Your identity ' . $user . ' does not match the requested identity from the
- OpenID consumer, which was: ' . $req_url;
+ $t->data['message'] = 'Your identity ' . htmlspecialchars($user) . ' does not match the requested identity from the
+ OpenID consumer, which was: ' . htmlspecialchars($req_url);
$t->data['e'] = new Exception('OpenID Error');
$t->show();
--
GitLab