[foundation-web] Prevent XSS by escaping the output
- From: Olav Vitters <ovitters src gnome org>
- To: svn-commits-list gnome org
- Subject: [foundation-web] Prevent XSS by escaping the output
- Date: Sat, 6 Jun 2009 07:55:00 -0400 (EDT)
commit 26d33af6e2f83edfd7d88734fefdcee06a33f4dc
Author: Olav Vitters <olav bkor dhs org>
Date: Sat Jun 6 13:54:24 2009 +0200
Prevent XSS by escaping the output
---
.../vote/include/step3-confirm.php | 8 ++--
foundation.gnome.org/vote/include/step4-commit.php | 2 +-
foundation.gnome.org/vote/index.wml | 4 +-
foundation.gnome.org/vote/results.wml | 10 +++---
foundation.gnome.org/vote/vote.wml | 31 +++++++++++++-------
foundation.gnome.org/vote/votes.wml | 16 +++++-----
6 files changed, 40 insertions(+), 31 deletions(-)
diff --git a/foundation.gnome.org/vote/include/step3-confirm.php b/foundation.gnome.org/vote/include/step3-confirm.php
index 73528c9..dcac8ac 100644
--- a/foundation.gnome.org/vote/include/step3-confirm.php
+++ b/foundation.gnome.org/vote/include/step3-confirm.php
@@ -8,7 +8,7 @@ function step3_do () {
$result = "<h2>Step 3/4 - Confirm your vote</h2>\n";
- $result .= "<p><strong>".$election["question"]."</strong></p>\n";
+ $result .= "<p><strong>".htmlspecialchars($election["question"])."</strong></p>\n";
if (count ($votes_array) >= 1) {
$result .= "<p>You choose to vote for:</p>\n";
@@ -18,15 +18,15 @@ function step3_do () {
$found = FALSE;
foreach ($choices as $choice) {
if ($choice["id"] == $vote) {
- $result .= "<li>".$choice["choice"]."</li>\n";
+ $result .= "<li>".htmlspecialchars($choice["choice"])."</li>\n";
$found = TRUE;
break;
}
}
if (!$found) {
- $result .= "<li>Unknown vote: ".$vote."</li>\n";
- $error .= "There was an unkown vote: ".$vote."<br />\n";
+ $result .= "<li>Unknown vote: ".htmlspecialchars($vote)."</li>\n";
+ $error .= "There was an unkown vote: ".htmlspecialchars($vote)."<br />\n";
}
}
$result .= "</ol>\n";
diff --git a/foundation.gnome.org/vote/include/step4-commit.php b/foundation.gnome.org/vote/include/step4-commit.php
index 317c494..208616e 100644
--- a/foundation.gnome.org/vote/include/step4-commit.php
+++ b/foundation.gnome.org/vote/include/step4-commit.php
@@ -95,7 +95,7 @@ function step4_do () {
$result .= "<h2>Step 4/4 - Keep your anonymous token</h2>\n";
$result .= "<h3>Your vote has been received.</h3>\n";
$result .= "<p>Please write this anonymous token somewhere:</p>\n";
- $result .= "<div class=\"votedata\"><p><strong><span class=\"token\">".$anon_token."</span></strong></p></div>\n";
+ $result .= "<div class=\"votedata\"><p><strong><span class=\"token\">".htmlspecialchars($anon_token)."</span></strong></p></div>\n";
$result .= "<p>This anonymous token will enable you to verify your vote when the preliminary results will be published. Nobody, even the Membership and Elections Committee, except you knows that this token is associated with you and only you will be able to verify your vote. It is not possible to request this anonymous token later.</p>\n";
return $result;
diff --git a/foundation.gnome.org/vote/index.wml b/foundation.gnome.org/vote/index.wml
index 9bf1a1e..77ffe8b 100644
--- a/foundation.gnome.org/vote/index.wml
+++ b/foundation.gnome.org/vote/index.wml
@@ -40,7 +40,7 @@ if (count ($current_elections) > 0) {
<ul>
<?php
foreach ($current_elections as $election) {
- echo " <li><a href=\"vote.php?election_id=".$election["id"]."\">".$election["name"]."</a></li>\n";
+ echo " <li><a href=\"vote.php?election_id=".rawurlencode($election["id"])."\">".htmlspecialchars($election["name"])."</a></li>\n";
}
?>
</ul>
@@ -57,7 +57,7 @@ if (count ($previous_elections) > 0) {
<ul>
<?php
foreach ($previous_elections as $election) {
- echo " <li><a href=\"results.php?election_id=".$election["id"]."\">".$election["name"]."</a></li>\n";
+ echo " <li><a href=\"results.php?election_id=".rawurlencode($election["id"])."\">".htmlspecialchars($election["name"])."</a></li>\n";
}
?>
</ul>
diff --git a/foundation.gnome.org/vote/results.wml b/foundation.gnome.org/vote/results.wml
index 2c397de..200a21b 100644
--- a/foundation.gnome.org/vote/results.wml
+++ b/foundation.gnome.org/vote/results.wml
@@ -47,24 +47,24 @@ if ($display && $election_id >= 0) {
if (isset ($election) && $election !== FALSE) {
if ($results !== FALSE)
{
- echo "<h1>Results for the ".$election["name"]."</h1>\n";
+ echo "<h1>Results for the ".htmlspecialchars($election["name"])."</h1>\n";
} else {
$error .= "The voting period for the specified ".elec_election_get_type ($election)." has closed, but the results of the election have not yet been calculated. It is not possible to see the results now.<br />\n";
- echo "<p>In the meantime, you can look at the <a href=\"votes.php?election_id=".$election_id."\">list of all votes</a> and verify that your vote is correct.</p>\n";
+ echo "<p>In the meantime, you can look at the <a href=\"votes.php?election_id=".rawurlencode($election_id)."\">list of all votes</a> and verify that your vote is correct.</p>\n";
$display = FALSE;
}
}
if ($display) {
echo "<hr/>";
- echo $results["result"];
+ echo htmlspecialchars($results["result"]);
echo "<hr/>";
- echo "<p>Please look at the <a href=\"votes.php?election_id=".$election_id."\">list of all votes</a> and verify that your vote is correct.</p>\n";
+ echo "<p>Please look at the <a href=\"votes.php?election_id=".rawurlencode($election_id)."\">list of all votes</a> and verify that your vote is correct.</p>\n";
}
if (isset ($error) && $error != "") {
- echo "<div class=\"error\">".$error."</div>\n";;
+ echo "<div class=\"error\">".htmlspecialchars($error)."</div>\n";;
echo "<p>If you don't understand the error, you should probably contact the Membership and Elections Committee, which can be reached at <a href=\"mailto:elections gnome org\">elections gnome org</a>.</p>\n";
}
diff --git a/foundation.gnome.org/vote/vote.wml b/foundation.gnome.org/vote/vote.wml
index 62d37df..ae119a7 100644
--- a/foundation.gnome.org/vote/vote.wml
+++ b/foundation.gnome.org/vote/vote.wml
@@ -106,6 +106,15 @@ cursor: pointer;
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<?php
+
+function escape_js_var($var) {
+ $var = preg_replace("([\\\'\"\/])", "\\$1");
+ $var = str_replace("\n", "\\n");
+ $var = str_replace("\r", "\\r");
+
+ return $var;
+}
+
if ($step==2)
{
?>
@@ -137,9 +146,9 @@ function populateList(){
foreach ($choices as $choice) {
$index++;
echo " listItem = document.createElement('li');\n";
- echo " listItem.setAttribute('name', 'vote" . $choice["id"] . "');\n";
+ echo " listItem.setAttribute('name', 'vote" . escape_js_var($choice["id"]) . "');\n";
echo " listItem.setAttribute('onclick', 'addPreference(this)');\n";
- echo " listItemText = document.createTextNode('" . $choice["choice"] . "');\n";
+ echo " listItemText = document.createTextNode('" . escape_js_var($choice["choice"]) . "');\n";
echo " listItem.appendChild(listItemText);\n";
echo " candidateList.appendChild(listItem);\n\n";
@@ -201,7 +210,7 @@ if ($step==2){
if (isset ($election) && $election !== FALSE) {
- echo "<h1>".$election["name"]."</h1>\n";
+ echo "<h1>".htmlspecialchars($election["name"])."</h1>\n";
}
if ($step >= 2) {
@@ -245,24 +254,24 @@ if (isset ($handle))
elec_sql_close ($handle);
if (isset ($error) && $error != "") {
- echo "<div class=\"error\">".$error."</div>\n";;
+ echo "<div class=\"error\">".htmlspecialchars($error)."</div>\n";;
echo "<p>If you don't understand the error, you should probably contact the Membership and Elections Committee, which can be reached at <a href=\"mailto:elections gnome org\">elections gnome org</a>.</p>\n";
}
if ($step != $max_step && $step >= 1) {
- echo "<form action=\"".$_SERVER['PHP_SELF']."\" method=\"post\"";
+ echo "<form action=\"".htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES)."\" method=\"post\"";
if ($step == 2) {
echo "onsubmit=\"submitPreferences()\"";
}
echo ">\n";
}
-echo $result;
+echo $result; // already HTML escaped
if ($step != $max_step && $step >= 1) {
if ($step > 1) {
- echo " <input type=\"hidden\" name=\"email\" value=\"".$email."\" />\n";
- echo " <input type=\"hidden\" name=\"tmp_token\" value=\"".$tmp_token."\" />\n";
+ echo " <input type=\"hidden\" name=\"email\" value=\"". htmlspecialchars($email)."\" />\n";
+ echo " <input type=\"hidden\" name=\"tmp_token\" value=\"".htmlspecialchars($tmp_token)."\" />\n";
}
if ($step > 2) {
$index=0;
@@ -272,11 +281,11 @@ if ($step != $max_step && $step >= 1) {
$name = "pref".$index;
$value = "vote".$vote;
- echo " <input type=\"hidden\" name=\"".$name."\" value=\"".$value."\" />\n";
+ echo " <input type=\"hidden\" name=\"".htmlspecialchars($name)."\" value=\"".htmlspecialchars($value)."\" />\n";
}
}
- echo " <input type=\"hidden\" name=\"election_id\" value=\"".$election_id."\" />\n";
- echo " <input type=\"hidden\" name=\"step\" value=\"".($step + 1)."\" />\n";
+ echo " <input type=\"hidden\" name=\"election_id\" value=\"".htmlspecialchars($election_id)."\" />\n";
+ echo " <input type=\"hidden\" name=\"step\" value=\"".htmlspecialchars($step + 1)."\" />\n";
echo " <input type=\"submit\" value=\"Continue to next step\" />\n";
echo "</form>\n";
}
diff --git a/foundation.gnome.org/vote/votes.wml b/foundation.gnome.org/vote/votes.wml
index 5e481f2..60e6376 100644
--- a/foundation.gnome.org/vote/votes.wml
+++ b/foundation.gnome.org/vote/votes.wml
@@ -41,7 +41,7 @@ if ($display && $election_id >= 0) {
}
if (isset ($election) && $election !== FALSE) {
- echo "<h1>Detailed votes for the ".$election["name"]."</h1>\n";
+ echo "<h1>Detailed votes for the ".htmlspecialchars($election["name"])."</h1>\n";
}
if ($display) {
@@ -66,12 +66,12 @@ if ($display) {
$choices_name[$choice["id"]] = $choice["choice"];
}
- echo "<p>Please look at the <a href=\"results.php?election_id=".$election_id."\">automatic results</a> to have a summary of the votes. ";
- echo "You can also <a href=\"blt.php?election_id=".$election_id."\">download the ballots</a> in the OpenSTV .blt file format and verify the results.</p>\n";
+ echo "<p>Please look at the <a href=\"results.php?election_id=".rawurlencode($election_id)."\">automatic results</a> to have a summary of the votes. ";
+ echo "You can also <a href=\"blt.php?election_id=".rawurlencode($election_id)."\">download the ballots</a> in the OpenSTV .blt file format and verify the results.</p>\n";
echo "<p>Please note that these results are automatically calculated and are thus not the official results.</p>\n";
- echo "<p><strong>".$election["question"]."</strong></p>\n";
+ echo "<p><strong>".htmlspecialchars($election["question"])."</strong></p>\n";
echo "<table class=\"detailedvotes\">\n<tr><th>Anonymous token</th><th>Vote(s)</th></tr>\n";
$color = TRUE;
@@ -83,7 +83,7 @@ if ($display) {
$class = "colorB";
echo "<tr class=\"".$class."\">\n";
- echo "<td><span class=\"token\">".$anon_token["anon_token"]."</span></td>\n";
+ echo "<td><span class=\"token\">".htmlspecialchars($anon_token["anon_token"])."</span></td>\n";
echo "<td>";
@@ -96,9 +96,9 @@ if ($display) {
echo "<ol>";
foreach ($votes as $vote) {
if (array_key_exists ($vote["choice_id"], $choices_name))
- echo "<li><em>".$votes["preference"]." ".$choices_name[$vote["choice_id"]]."</em></li>\n";
+ echo "<li><em>".htmlspecialchars($votes["preference"])." ".htmlspecialchars($choices_name[$vote["choice_id"]])."</em></li>\n";
else {
- echo "<li><em>Unknown value (".$vote["choice_id"].")</em></li>\n";
+ echo "<li><em>Unknown value (".htmlspecialchars($vote["choice_id"]).")</em></li>\n";
$error .= "There was an unkown vote for anonymous token ".$anon_token["anon_token"].": ".$vote["choice_id"]."<br />\n";
}
}
@@ -114,7 +114,7 @@ if ($display) {
}
if (isset ($error) && $error != "") {
- echo "<div class=\"error\">".$error."</div>\n";;
+ echo "<div class=\"error\">".htmlspecialchars($error)."</div>\n";;
echo "<p>If you don't understand the error, you should probably contact the Membership and Elections Committee, which can be reached at <a href=\"mailto:elections gnome org\">elections gnome org</a>.</p>\n";
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
