diff --git a/apps/contacts/js/contacts.js b/apps/contacts/js/contacts.js index 1408e840f2..2319334c58 100644 --- a/apps/contacts/js/contacts.js +++ b/apps/contacts/js/contacts.js @@ -1699,5 +1699,7 @@ $(document).ready(function(){ } $('#contacts_propertymenu_dropdown a').click(propertyMenuItem); $('#contacts_propertymenu_dropdown a').keydown(propertyMenuItem); + + Contacts.UI.loadHandlers(); + Contacts.UI.Contacts.update(); }); -Contacts.UI.Contacts.update(); diff --git a/apps/files_archive/lib/storage.php b/apps/files_archive/lib/storage.php index 8676166361..2f10d6a3e4 100644 --- a/apps/files_archive/lib/storage.php +++ b/apps/files_archive/lib/storage.php @@ -49,6 +49,7 @@ class OC_Filestorage_Archive extends OC_Filestorage_Common{ OC_FakeDirStream::$dirs[$id]=$content; return opendir('fakedir://'.$id); } + public function readdir($path){} public function stat($path){ $ctime=filectime($this->path); $path=$this->stripPath($path); diff --git a/apps/files_sharing/sharedstorage.php b/apps/files_sharing/sharedstorage.php index 1a6942ad16..9174334383 100644 --- a/apps/files_sharing/sharedstorage.php +++ b/apps/files_sharing/sharedstorage.php @@ -139,6 +139,8 @@ class OC_Filestorage_Shared extends OC_Filestorage { } } + public function readdir( $path ) {} + public function is_dir($path) { if ($path == "" || $path == "/") { return true; diff --git a/apps/files_versions/versions.php b/apps/files_versions/versions.php index 44ce7c635a..6feb0cbb9c 100644 --- a/apps/files_versions/versions.php +++ b/apps/files_versions/versions.php @@ -303,66 +303,88 @@ class Storage { */ public static function expireAll() { - function deleteAll($directory, $empty = false) { + function deleteAll( $directory, $empty = false ) { - if(substr($directory,-1) == "/") { - $directory = substr($directory,0,-1); + // strip leading slash + if( substr( $directory, 0, 1 ) == "/" ) { + + $directory = substr( $directory, 1 ); + + } + + // strip trailing slash + if( substr( $directory, -1) == "/" ) { + + $directory = substr( $directory, 0, -1 ); + } - if(!file_exists($directory) || !is_dir($directory)) { + $view = new \OC_FilesystemView(''); + + if ( !$view->file_exists( $directory ) || !$view->is_dir( $directory ) ) { return false; - } elseif(!is_readable($directory)) { + } elseif( !$view->is_readable( $directory ) ) { return false; } else { - $directoryHandle = opendir($directory); - - while ($contents = readdir($directoryHandle)) { + $foldername = \OCP\Config::getSystemValue('datadirectory') .'/' . \OCP\USER::getUser() .'/' . $directory; // have to set an absolute path for use with PHP's opendir as OC version doesn't work - if( $contents != '.' && $contents != '..') { + $directoryHandle = opendir( $foldername ); + + while ( $contents = $view->readdir( $directoryHandle ) ) { + + if ( $contents != '.' && $contents != '..') { $path = $directory . "/" . $contents; - if( is_dir($path) ) { + if ( $view->is_dir( $path ) ) { - deleteAll($path); + deleteAll( $path ); } else { - - unlink($path); + + $view->unlink( \OCP\USER::getUser() .'/' . $path ); // TODO: make unlink use same system path as is_dir } } } - closedir( $directoryHandle ); + //$view->closedir( $directoryHandle ); // TODO: implement closedir in OC_FSV - if( $empty == false ) { + if ( $empty == false ) { - if(!rmdir($directory)) { + if ( !$view->rmdir( $directory ) ) { return false; } - } + } return true; } } - - /* - // FIXME: make this path dynamic - $dir = '/home/samtuke/owncloud/git/oc5/data/admin/versions'; + + $dir = \OCP\Config::getSystemValue('files_versionsfolder', Storage::DEFAULTFOLDER); + + deleteAll( $dir, true ); - ( deleteAll( $dir, 1 ) ? return true : return false ); - */ +// if ( deleteAll( $dir, 1 ) ) { +// +// echo "

deleted ok

"; +// +// } else { +// +// echo "

not deleted

"; +// +// } + } diff --git a/apps/media/js/collection.js b/apps/media/js/collection.js index 03d577c7c9..161fc0c681 100644 --- a/apps/media/js/collection.js +++ b/apps/media/js/collection.js @@ -97,13 +97,13 @@ Collection={ if(artist.name && artist.songs.length>0){ var tr=template.clone().removeClass('template'); if(artist.songs.length>1){ - tr.find('td.title a').text(artist.songs.length+' '+t('media','songs')); - tr.find('td.album a').text(artist.albums.length+' '+t('media','albums')); + tr.find('td.title a').html(artist.songs.length+' '+t('media','songs')); + tr.find('td.album a').html(artist.albums.length+' '+t('media','albums')); }else{ - tr.find('td.title a').text(artist.songs[0].name); - tr.find('td.album a').text(artist.albums[0].name); + tr.find('td.title a').html(artist.songs[0].name); + tr.find('td.album a').html(artist.albums[0].name); } - tr.find('td.artist a').text(artist.name); + tr.find('td.artist a').html(artist.name); tr.data('artistData',artist); tr.find('td.artist a').click(function(event){ event.preventDefault(); diff --git a/apps/media/lib_scanner.php b/apps/media/lib_scanner.php index 82170e5ca8..a8218c3a4d 100644 --- a/apps/media/lib_scanner.php +++ b/apps/media/lib_scanner.php @@ -79,19 +79,19 @@ class OC_MEDIA_SCANNER{ OCP\Util::writeLog('media',"error reading artist tag in '$file'",OCP\Util::WARN); $artist='unknown'; }else{ - $artist=strip_tags(stripslashes($data['comments']['artist'][0])); + $artist=OCP\Util::sanitizeHTML(stripslashes($data['comments']['artist'][0])); } if(!isset($data['comments']['album'])){ OCP\Util::writeLog('media',"error reading album tag in '$file'",OCP\Util::WARN); $album='unknown'; }else{ - $album=strip_tags(stripslashes($data['comments']['album'][0])); + $album=OCP\Util::sanitizeHTML(stripslashes($data['comments']['album'][0])); } if(!isset($data['comments']['title'])){ OCP\Util::writeLog('media',"error reading title tag in '$file'",OCP\Util::WARN); $title='unknown'; }else{ - $title=strip_tags(stripslashes($data['comments']['title'][0])); + $title=OCP\Util::sanitizeHTML(stripslashes($data['comments']['title'][0])); } $size=$data['filesize']; if (isset($data['comments']['track'])) diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php index 78bc5b4656..a3117b5a41 100644 --- a/apps/user_ldap/group_ldap.php +++ b/apps/user_ldap/group_ldap.php @@ -166,7 +166,9 @@ class OC_GROUP_LDAP extends OC_Group_Backend { $result[] = OC_LDAP::dn2username($ldap_users[0]); continue; } else { - $result[] = OC_LDAP::dn2username($member); + if($ocname = OC_LDAP::dn2username($member)){ + $result[] = $ocname; + } } } if(!$isMemberUid) { diff --git a/apps/user_ldap/lib_ldap.php b/apps/user_ldap/lib_ldap.php index befdf267bc..aa104eb512 100644 --- a/apps/user_ldap/lib_ldap.php +++ b/apps/user_ldap/lib_ldap.php @@ -166,11 +166,14 @@ class OC_LDAP { * @brief returns the internal ownCloud name for the given LDAP DN of the group * @param $dn the dn of the group object * @param $ldapname optional, the display name of the object - * @returns string with with the name to use in ownCloud + * @returns string with with the name to use in ownCloud, false on DN outside of search DN * * returns the internal ownCloud name for the given LDAP DN of the group */ static public function dn2groupname($dn, $ldapname = null) { + if(strrpos($dn, self::$ldapBaseGroups) !== (strlen($dn)-strlen(self::$ldapBaseGroups))) { + return false; + } return self::dn2ocname($dn, $ldapname, false); } @@ -180,9 +183,12 @@ class OC_LDAP { * @param $ldapname optional, the display name of the object * @returns string with with the name to use in ownCloud * - * returns the internal ownCloud name for the given LDAP DN of the user + * returns the internal ownCloud name for the given LDAP DN of the user, false on DN outside of search DN */ static public function dn2username($dn, $ldapname = null) { + if(strrpos($dn, self::$ldapBaseUsers) !== (strlen($dn)-strlen(self::$ldapBaseUsers))) { + return false; + } return self::dn2ocname($dn, $ldapname, true); } diff --git a/index.php b/index.php index 1171c0fe0c..e3c94adf66 100755 --- a/index.php +++ b/index.php @@ -122,7 +122,7 @@ elseif(OC_User::isLoggedIn()) { if(!array_key_exists('sectoken', $_SESSION) || (array_key_exists('sectoken', $_SESSION) && is_null(OC::$REQUESTEDFILE)) || substr(OC::$REQUESTEDFILE, -3) == 'php'){ $sectoken=rand(1000000,9999999); $_SESSION['sectoken']=$sectoken; - $redirect_url = (isset($_REQUEST['redirect_url'])) ? strip_tags($_REQUEST['redirect_url']) : $_SERVER['REQUEST_URI']; + $redirect_url = (isset($_REQUEST['redirect_url'])) ? OC_Util::sanitizeHTML($_REQUEST['redirect_url']) : $_SERVER['REQUEST_URI']; OC_Template::printGuestPage('', 'login', array('error' => $error, 'sectoken' => $sectoken, 'redirect' => $redirect_url)); } } diff --git a/lib/base.php b/lib/base.php index db55504117..6e209afebd 100644 --- a/lib/base.php +++ b/lib/base.php @@ -42,10 +42,6 @@ class OC{ * the owncloud root path for http requests (e.g. owncloud/) */ public static $WEBROOT = ''; - /** - * the folder that stores that data files for the filesystem of the user (e.g. /srv/http/owncloud/data/myusername/files) - */ - public static $CONFIG_DATADIRECTORY = ''; /** * The installation path of the 3rdparty folder on the server (e.g. /srv/http/owncloud/3rdparty) */ @@ -349,19 +345,11 @@ class OC{ exit; } - // TODO: we should get rid of this one, too - // WARNING: to make everything even more confusing, - // DATADIRECTORY is a var that changes and DATADIRECTORY_ROOT - // stays the same, but is set by "datadirectory". - // Any questions? - OC::$CONFIG_DATADIRECTORY = OC_Config::getValue( "datadirectory", OC::$SERVERROOT."/data" ); - // User and Groups if( !OC_Config::getValue( "installed", false )){ $_SESSION['user_id'] = ''; } - OC_User::useBackend( OC_Config::getValue( "userbackend", "database" )); OC_Group::useBackend(new OC_Group_Database()); diff --git a/lib/filecache/cached.php b/lib/filecache/cached.php index a22adad452..17a792a23d 100644 --- a/lib/filecache/cached.php +++ b/lib/filecache/cached.php @@ -55,6 +55,9 @@ class OC_FileCache_Cached{ $root=OC_Filesystem::getRoot(); } $parent=OC_FileCache::getId($path,$root); + if($parent==-1){ + return array(); + } $query=OC_DB::prepare('SELECT path,name,ctime,mtime,mimetype,size,encrypted,versioned,writable FROM *PREFIX*fscache WHERE parent=? AND (mimetype LIKE ? OR mimetype = ?)'); $result=$query->execute(array($parent, $mimetype_filter.'%', 'httpd/unix-directory'))->fetchAll(); if(is_array($result)){ diff --git a/lib/files.php b/lib/files.php index 3ecf08739b..469c3a15b8 100644 --- a/lib/files.php +++ b/lib/files.php @@ -30,12 +30,9 @@ class OC_Files { /** * get the content of a directory - * @param dir $directory + * @param dir $directory path under datadirectory */ public static function getDirectoryContent($directory, $mimetype_filter = ''){ - if(strpos($directory,OC::$CONFIG_DATADIRECTORY)===0){ - $directory=substr($directory,strlen(OC::$CONFIG_DATADIRECTORY)); - } $files=OC_FileCache::getFolderContent($directory, false, $mimetype_filter); foreach($files as &$file){ $file['directory']=$directory; diff --git a/lib/filestorage.php b/lib/filestorage.php index 71ef4aed00..bf353bb0cc 100644 --- a/lib/filestorage.php +++ b/lib/filestorage.php @@ -28,6 +28,7 @@ abstract class OC_Filestorage{ abstract public function mkdir($path); abstract public function rmdir($path); abstract public function opendir($path); + abstract public function readdir($path); abstract public function is_dir($path); abstract public function is_file($path); abstract public function stat($path); diff --git a/lib/filestorage/local.php b/lib/filestorage/local.php index 44a2ab0f63..27794fe17c 100644 --- a/lib/filestorage/local.php +++ b/lib/filestorage/local.php @@ -20,6 +20,9 @@ class OC_Filestorage_Local extends OC_Filestorage{ public function opendir($path){ return opendir($this->datadir.$path); } + public function readdir($handle){ + return readdir($handle); + } public function is_dir($path){ if(substr($path,-1)=='/'){ $path=substr($path,0,-1); diff --git a/lib/filesystem.php b/lib/filesystem.php index 89de533d72..0d0943d363 100644 --- a/lib/filesystem.php +++ b/lib/filesystem.php @@ -399,6 +399,9 @@ class OC_Filesystem{ static public function opendir($path){ return self::$defaultInstance->opendir($path); } + static public function readdir($path){ + return self::$defaultInstance->readdir($path); + } static public function is_dir($path){ return self::$defaultInstance->is_dir($path); } diff --git a/lib/filesystemview.php b/lib/filesystemview.php index 813a87cd74..da622bcf92 100644 --- a/lib/filesystemview.php +++ b/lib/filesystemview.php @@ -158,6 +158,10 @@ class OC_FilesystemView { public function opendir($path){ return $this->basicOperation('opendir',$path,array('read')); } + public function readdir($handle){ + $fsLocal= new OC_Filestorage_Local( array( 'datadir' => '/' ) ); + return $fsLocal->readdir( $handle ); + } public function is_dir($path){ if($path=='/'){ return true; diff --git a/lib/public/util.php b/lib/public/util.php index d79d3f26b1..7c0cb66607 100644 --- a/lib/public/util.php +++ b/lib/public/util.php @@ -264,6 +264,18 @@ class Util { public static function callCheck(){ return(\OC_Util::callCheck()); } + + /** + * @brief Used to sanitize HTML + * + * This function is used to sanitize HTML and should be applied on any string or array of strings before displaying it on a web page. + * + * @param string or array of strings + * @return array with sanitized strings or a single sinitized string, depends on the input parameter. + */ + public static function sanitizeHTML( $value ){ + return(\OC_Util::sanitizeHTML($value)); //Specify encoding for PHP<5.4 + } } ?> diff --git a/lib/template.php b/lib/template.php index 77e9332d5b..8fb0133b28 100644 --- a/lib/template.php +++ b/lib/template.php @@ -308,28 +308,11 @@ class OC_Template{ * If the key existed before, it will be overwritten */ public function assign( $key, $value, $sanitizeHTML=true ){ - if($sanitizeHTML == true) { - if(is_array($value)) { - array_walk_recursive($value,'OC_Template::sanitizeHTML'); - } else { - $value = OC_Template::sanitizeHTML($value); - } - } + if($sanitizeHTML == true) $value=OC_Util::sanitizeHTML($value); $this->vars[$key] = $value; return true; } - - /** - * @brief Internaly used to sanitze HTML - * - * This function is internally used to sanitize HTML. - */ - private static function sanitizeHTML( &$value ){ - $value = htmlentities( $value , ENT_QUOTES, 'UTF-8'); //Specify encoding for PHP<5.4 - return $value; - } - /** * @brief Appends a variable * @param $key key diff --git a/lib/user.php b/lib/user.php index f1903093d6..23b88aa1d0 100644 --- a/lib/user.php +++ b/lib/user.php @@ -240,13 +240,17 @@ class OC_User { * Checks if the user is logged in */ public static function isLoggedIn(){ + static $is_login_checked = null; + if (!is_null($is_login_checked)) { + return $is_login_checked; + } if( isset($_SESSION['user_id']) AND $_SESSION['user_id']) { OC_App::loadApps(array('authentication')); if (self::userExists($_SESSION['user_id']) ){ - return true; + return $is_login_checked = true; } } - return false; + return $is_login_checked = false; } /** diff --git a/lib/util.php b/lib/util.php index 0266a8ecc5..5492587862 100755 --- a/lib/util.php +++ b/lib/util.php @@ -19,50 +19,21 @@ class OC_Util { return false; } - $CONFIG_DATADIRECTORY_ROOT = OC_Config::getValue( "datadirectory", OC::$SERVERROOT."/data" ); - $CONFIG_BACKUPDIRECTORY = OC_Config::getValue( "backupdirectory", OC::$SERVERROOT."/backup" ); - - // Check if config folder is writable. - if(!is_writable(OC::$SERVERROOT."/config/")) { - $tmpl = new OC_Template( '', 'error', 'guest' ); - $tmpl->assign('errors',array(1=>array('error'=>"Can't write into config directory 'config'",'hint'=>"You can usually fix this by giving the webserver user write access to the config directory in owncloud"))); - $tmpl->printPage(); - exit; - } - - // Check if apps folder is writable. - if(OC_Config::getValue('writable_appsdir', true) && !is_writable(OC::$SERVERROOT."/apps/")) { - $tmpl = new OC_Template( '', 'error', 'guest' ); - $tmpl->assign('errors',array(1=>array('error'=>"Can't write into apps directory 'apps'",'hint'=>"You can usually fix this by giving the webserver user write access to the config directory in owncloud"))); - $tmpl->printPage(); - exit; - } - - // Create root dir. - if(!is_dir($CONFIG_DATADIRECTORY_ROOT)){ - $success=@mkdir($CONFIG_DATADIRECTORY_ROOT); - if(!$success) { - $tmpl = new OC_Template( '', 'error', 'guest' ); - $tmpl->assign('errors',array(1=>array('error'=>"Can't create data directory (".$CONFIG_DATADIRECTORY_ROOT.")",'hint'=>"You can usually fix this by giving the webserver write access to the ownCloud directory '".OC::$SERVERROOT."' (in a terminal, use the command 'chown -R www-data:www-data /path/to/your/owncloud/install/data' "))); - $tmpl->printPage(); - exit; - } - } - // If we are not forced to load a specific user we load the one that is logged in if( $user == "" && OC_User::isLoggedIn()){ $user = OC_User::getUser(); } + $CONFIG_DATADIRECTORY = OC_Config::getValue( "datadirectory", OC::$SERVERROOT."/data" ); //first set up the local "root" storage if(!self::$rootMounted){ - OC_Filesystem::mount('OC_Filestorage_Local',array('datadir'=>$CONFIG_DATADIRECTORY_ROOT),'/'); + OC_Filesystem::mount('OC_Filestorage_Local',array('datadir'=>$CONFIG_DATADIRECTORY),'/'); self::$rootMounted=true; } if( $user != "" ){ //if we aren't logged in, there is no use to set up the filesystem - OC::$CONFIG_DATADIRECTORY = $CONFIG_DATADIRECTORY_ROOT."/$user/$root"; - if( !is_dir( OC::$CONFIG_DATADIRECTORY )){ - mkdir( OC::$CONFIG_DATADIRECTORY, 0755, true ); + $userdirectory = $CONFIG_DATADIRECTORY."/$user/$root"; + if( !is_dir( $userdirectory )){ + mkdir( $userdirectory, 0755, true ); } //jail the user into his "home" directory @@ -71,8 +42,8 @@ class OC_Util { OC_FileProxy::register($quotaProxy); self::$fsSetup=true; // Load personal mount config - if (is_file($CONFIG_DATADIRECTORY_ROOT.'/'.$user.'/mount.php')) { - $mountConfig = include($CONFIG_DATADIRECTORY_ROOT.'/'.$user.'/mount.php'); + if (is_file($CONFIG_DATADIRECTORY.'/'.$user.'/mount.php')) { + $mountConfig = include($CONFIG_DATADIRECTORY.'/'.$user.'/mount.php'); if (isset($mountConfig['user'][$user])) { foreach ($mountConfig['user'][$user] as $mountPoint => $options) { OC_Filesystem::mount($options['class'], $options['options'], $mountPoint); @@ -209,9 +180,6 @@ class OC_Util { * @return array arrays with error messages and hints */ public static function checkServer(){ - $CONFIG_DATADIRECTORY_ROOT = OC_Config::getValue( "datadirectory", OC::$SERVERROOT."/data" ); - $CONFIG_BACKUPDIRECTORY = OC_Config::getValue( "backupdirectory", OC::$SERVERROOT."/backup" ); - $CONFIG_INSTALLED = OC_Config::getValue( "installed", false ); $errors=array(); //check for database drivers @@ -224,19 +192,31 @@ class OC_Util { //common hint for all file permissons error messages $permissionsHint="Permissions can usually be fixed by giving the webserver write access to the ownCloud directory"; + // Check if config folder is writable. + if(!is_writable(OC::$SERVERROOT."/config/")) { + $errors[]=array('error'=>"Can't write into config directory 'config'",'hint'=>"You can usually fix this by giving the webserver user write access to the config directory in owncloud"); + } + + // Check if apps folder is writable. + if(OC_Config::getValue('writable_appsdir', true) && !is_writable(OC::$SERVERROOT."/apps/")) { + $errors[]=array('error'=>"Can't write into apps directory 'apps'",'hint'=>"You can usually fix this by giving the webserver user write access to the config directory in owncloud"); + } + + $CONFIG_DATADIRECTORY = OC_Config::getValue( "datadirectory", OC::$SERVERROOT."/data" ); //check for correct file permissions if(!stristr(PHP_OS, 'WIN')){ $permissionsModHint="Please change the permissions to 0770 so that the directory cannot be listed by other users."; - $prems=substr(decoct(@fileperms($CONFIG_DATADIRECTORY_ROOT)),-3); + $prems=substr(decoct(@fileperms($CONFIG_DATADIRECTORY)),-3); if(substr($prems,-1)!='0'){ - OC_Helper::chmodr($CONFIG_DATADIRECTORY_ROOT,0770); + OC_Helper::chmodr($CONFIG_DATADIRECTORY,0770); clearstatcache(); - $prems=substr(decoct(@fileperms($CONFIG_DATADIRECTORY_ROOT)),-3); + $prems=substr(decoct(@fileperms($CONFIG_DATADIRECTORY)),-3); if(substr($prems,2,1)!='0'){ - $errors[]=array('error'=>'Data directory ('.$CONFIG_DATADIRECTORY_ROOT.') is readable for other users
','hint'=>$permissionsModHint); + $errors[]=array('error'=>'Data directory ('.$CONFIG_DATADIRECTORY.') is readable for other users
','hint'=>$permissionsModHint); } } if( OC_Config::getValue( "enablebackup", false )){ + $CONFIG_BACKUPDIRECTORY = OC_Config::getValue( "backupdirectory", OC::$SERVERROOT."/backup" ); $prems=substr(decoct(@fileperms($CONFIG_BACKUPDIRECTORY)),-3); if(substr($prems,-1)!='0'){ OC_Helper::chmodr($CONFIG_BACKUPDIRECTORY,0770); @@ -250,8 +230,14 @@ class OC_Util { }else{ //TODO: permissions checks for windows hosts } - if(is_dir($CONFIG_DATADIRECTORY_ROOT) and !is_writable($CONFIG_DATADIRECTORY_ROOT)){ - $errors[]=array('error'=>'Data directory ('.$CONFIG_DATADIRECTORY_ROOT.') not writable by ownCloud
','hint'=>$permissionsHint); + // Create root dir. + if(!is_dir($CONFIG_DATADIRECTORY)){ + $success=@mkdir($CONFIG_DATADIRECTORY); + if(!$success) { + $errors[]=array('error'=>"Can't create data directory (".$CONFIG_DATADIRECTORY.")",'hint'=>"You can usually fix this by giving the webserver write access to the ownCloud directory '".OC::$SERVERROOT."' (in a terminal, use the command 'chown -R www-data:www-data /path/to/your/owncloud/install/data' "); + } + } else if(!is_writable($CONFIG_DATADIRECTORY)){ + $errors[]=array('error'=>'Data directory ('.$CONFIG_DATADIRECTORY.') not writable by ownCloud
','hint'=>$permissionsHint); } // check if all required php modules are present @@ -370,7 +356,7 @@ class OC_Util { $_SESSION['requesttoken-'.$token]=time(); // cleanup old tokens garbage collector - // only run every 20th time so we donīt waste cpu cycles + // only run every 20th time so we don't waste cpu cycles if(rand(0,20)==0) { foreach($_SESSION as $key=>$value) { // search all tokens in the session @@ -426,4 +412,19 @@ class OC_Util { exit; } } + + /** + * @brief Public function to sanitize HTML + * + * This function is used to sanitize HTML and should be applied on any string or array of strings before displaying it on a web page. + * + * @param string or array of strings + * @return array with sanitized strings or a single sinitized string, depends on the input parameter. + */ + public static function sanitizeHTML( &$value ){ + if (is_array($value) || is_object($value)) array_walk_recursive($value,'OC_Util::sanitizeHTML'); + else $value = htmlentities($value, ENT_QUOTES, 'UTF-8'); //Specify encoding for PHP<5.4 + return $value; + } + } diff --git a/settings/admin.php b/settings/admin.php index 4cbd67c367..a997bad4e3 100644 --- a/settings/admin.php +++ b/settings/admin.php @@ -23,7 +23,7 @@ function compareEntries($a,$b){ usort($entries, 'compareEntries'); $tmpl->assign('loglevel',OC_Config::getValue( "loglevel", 2 )); -$tmpl->assign('entries',$entries,false); +$tmpl->assign('entries',$entries); $tmpl->assign('forms',array()); foreach($forms as $form){ $tmpl->append('forms',$form); diff --git a/settings/ajax/getlog.php b/settings/ajax/getlog.php index ed48b2cae1..d9e80de37b 100644 --- a/settings/ajax/getlog.php +++ b/settings/ajax/getlog.php @@ -14,4 +14,4 @@ $count=(isset($_GET['count']))?$_GET['count']:50; $offset=(isset($_GET['offset']))?$_GET['offset']:0; $entries=OC_Log_Owncloud::getEntries($count,$offset); -OC_JSON::success(array("data" => $entries)); +OC_JSON::success(array("data" => OC_Util::sanitizeHTML($entries))); diff --git a/settings/js/log.js b/settings/js/log.js index bde8b8b104..6063c7d9a9 100644 --- a/settings/js/log.js +++ b/settings/js/log.js @@ -39,7 +39,7 @@ OC.Log={ row.append(appTd); var messageTd=$(''); - messageTd.text(entry.message.replace(//, ">")); + messageTd.text(entry.message); row.append(messageTd); var timeTd=$('');