Merge branch 'stable4' of git://gitorious.org/owncloud/owncloud into stable4

apps/bookmarks/addBm.php

@@ -28,6 +28,6 @@ OCP\User::checkLoggedIn();
 OCP\App::checkAppEnabled('bookmarks');
 
 require_once('bookmarksHelper.php');
-addBookmark($_GET['url'], '', 'Read-Later');
+addBookmark($_POST['url'], '', 'Read-Later');
 
 include 'templates/addBm.php';

apps/bookmarks/ajax/addBookmark.php

@@ -31,5 +31,5 @@ OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('bookmarks');
 
 require_once(OC::$APPSROOT . '/apps/bookmarks/bookmarksHelper.php');
-$id = addBookmark($_GET['url'], $_GET['title'], $_GET['tags']);
+$id = addBookmark($_POST['url'], $_POST['title'], $_POST['tags']);
 OCP\JSON::success(array('data' => $id));

apps/bookmarks/ajax/delBookmark.php

@@ -30,7 +30,7 @@ $RUNTIME_NOSETUPFS=true;
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('bookmarks');
 
-$id = $_GET['id'];
+$id = $_POST['id'];
 if (!OC_Bookmarks_Bookmarks::deleteUrl($id)){
 	OC_JSON::error();
 	exit();

apps/bookmarks/ajax/editBookmark.php

@@ -39,7 +39,7 @@ if( $CONFIG_DBTYPE == 'sqlite' or $CONFIG_DBTYPE == 'sqlite3' ){
 	$_ut = "UNIX_TIMESTAMP()";
 }
 
-$bookmark_id = (int)$_GET["id"];
+$bookmark_id = (int)$_POST["id"];
 
 $query = OCP\DB::prepare("
 	UPDATE *PREFIX*bookmarks
@@ -48,8 +48,8 @@ $query = OCP\DB::prepare("
 	");
 
 $params=array(
-	htmlspecialchars_decode($_GET["url"]),
-	htmlspecialchars_decode($_GET["title"]),
+	htmlspecialchars_decode($_POST["url"]),
+	htmlspecialchars_decode($_POST["title"]),
 	);
 $query->execute($params);
 
@@ -67,7 +67,7 @@ $query = OCP\DB::prepare("
 	VALUES (?, ?)
 	");
 	
-$tags = explode(' ', urldecode($_GET["tags"]));
+$tags = explode(' ', urldecode($_POST["tags"]));
 foreach ($tags as $tag) {
 	if(empty($tag)) {
 		//avoid saving blankspaces

apps/bookmarks/ajax/recordClick.php

@@ -37,7 +37,7 @@ $query = OCP\DB::prepare("
 		AND url LIKE ?
 	");
 	
-$params=array(OCP\USER::getUser(), htmlspecialchars_decode($_GET["url"]));
+$params=array(OCP\USER::getUser(), htmlspecialchars_decode($_POST["url"]));
 $bookmarks = $query->execute($params);
 
 header( "HTTP/1.1 204 No Content" );

apps/bookmarks/ajax/updateList.php

@@ -33,11 +33,11 @@ OCP\JSON::checkAppEnabled('bookmarks');
 
 
 //Filter for tag?
-$filterTag = isset($_GET['tag']) ? htmlspecialchars_decode($_GET['tag']) : false;
+$filterTag = isset($_POST['tag']) ? htmlspecialchars_decode($_POST['tag']) : false;
 
-$offset = isset($_GET['page']) ? intval($_GET['page']) * 10 : 0;
+$offset = isset($_POST['page']) ? intval($_POST['page']) * 10 : 0;
 
-$sort = isset($_GET['sort']) ? ($_GET['sort']) : 'bookmarks_sorting_recent';
+$sort = isset($_POST['sort']) ? ($_POST['sort']) : 'bookmarks_sorting_recent';
 if($sort == 'bookmarks_sorting_clicks') {
 	$sqlSortColumn = 'clickcount';
 } else {

apps/bookmarks/js/addBm.js

@@ -6,6 +6,7 @@ function addBookmark(event) {
 	var url = $('#bookmark_add_url').val();
 	var tags = $('#bookmark_add_tags').val();
 	$.ajax({
+		type: 'POST',
 		url: 'ajax/addBookmark.php',
 		data: 'url=' + encodeURI(url) + '&tags=' + encodeURI(tags),
 		success: function(data){ 

apps/bookmarks/js/bookmarks.js

@@ -20,6 +20,7 @@ function getBookmarks() {
 	}
 
 	$.ajax({
+		  type: 'POST',
 		url: OC.filePath('bookmarks', 'ajax', 'updateList.php'),
 		data: 'tag=' + encodeURIComponent($('#bookmarkFilterTag').val()) + '&page=' + bookmarks_page + '&sort=' + bookmarks_sorting,
 		success: function(bookmarks){
@@ -70,6 +71,7 @@ function addOrEditBookmark(event) {
 	}
 	if (id == 0) {
 		$.ajax({
+			type: 'POST',
 			url: OC.filePath('bookmarks', 'ajax', 'addBookmark.php'),
 			data: 'url=' + encodeURIComponent(url) + '&title=' + encodeURIComponent(title) + '&tags=' + encodeURIComponent(tags),
 			success: function(response){
@@ -82,6 +84,7 @@ function addOrEditBookmark(event) {
 	}
 	else {
 		$.ajax({
+			type: 'POST',
 			url: OC.filePath('bookmarks', 'ajax', 'editBookmark.php'),
 			data: 'id=' + id + '&url=' + encodeURIComponent(url) + '&title=' + encodeURIComponent(title) + '&tags=' + encodeURIComponent(tags),
 			success: function(){
@@ -99,6 +102,7 @@ function addOrEditBookmark(event) {
 function delBookmark(event) {
 	var record = $(this).parent().parent();
 	$.ajax({
+		type: 'POST',
 		url: OC.filePath('bookmarks', 'ajax', 'delBookmark.php'),
 		data: 'id=' + record.data('id'),
 		success: function(data){
@@ -177,6 +181,7 @@ function updateOnBottom() {
 
 function recordClick(event) {
 	$.ajax({
+		type: 'POST',
 		url: OC.filePath('bookmarks', 'ajax', 'recordClick.php'),
 		data: 'url=' + encodeURIComponent($(this).attr('href')),
 	});

apps/bookmarks/js/bookmarksearch.js

@@ -16,6 +16,7 @@ function recordClick(event) {
 	var jsFileLocation = $('script[src*=bookmarksearch]').attr('src');
 	jsFileLocation = jsFileLocation.replace('js/bookmarksearch.js', '');
 	$.ajax({
+		type: 'POST',
 		url: jsFileLocation + 'ajax/recordClick.php',
 		data: 'url=' + encodeURI($(this).attr('href')),
 	});	

apps/gallery/lib/tiles.php

@@ -141,7 +141,7 @@ class TileStack extends TileBase {
 	}
 
 	public function get() {
-		$r = '<div class="title gallery_div">'.$this->stack_name.'</div>';
+		$r = '<div class="title gallery_div">'.htmlentities($this->stack_name).'</div>';
 		for ($i = 0; $i < count($this->tiles_array); $i++) {
 			$top = rand(-5, 5);
 			$left = rand(-5, 5);
@@ -168,7 +168,7 @@ class TileStack extends TileBase {
 	}
 	
 	public function getOnClickAction() {
-		return 'javascript:openNewGal(\''.$this->stack_name.'\');';
+		return 'javascript:openNewGal(\''.htmlentities($this->stack_name).'\');';
 	}
 
 	private $tiles_array;

apps/gallery/templates/index.php

@@ -14,7 +14,7 @@ div.visible { opacity: 0.8;}
 </style>
 <script type="text/javascript">
 
-var root = "<?php echo $root; ?>";
+var root = "<?php echo htmlentities($root); ?>";
 
 function explode(element) {
 	$('div', element).each(function(index, elem) {

apps/user_ldap/settings.php

@@ -47,7 +47,7 @@ if ($_POST) {
 // fill template
 $tmpl = new OCP\Template( 'user_ldap', 'settings');
 foreach($params as $param){
-		$value = OCP\Config::getAppValue('user_ldap', $param,'');
+		$value = htmlentities(OCP\Config::getAppValue('user_ldap', $param,''));
 		$tmpl->assign($param, $value);
 }
 

apps/user_openid/settings.php

@@ -2,7 +2,7 @@
 
 $tmpl = new OCP\Template( 'user_openid', 'settings');
 $identity=OCP\Config::getUserValue(OCP\USER::getUser(),'user_openid','identity','');
-$tmpl->assign('identity',$identity);
+$tmpl->assign('identity',htmlentities($identity));
 
 OCP\Util::addscript('user_openid','settings');