From: <ste...@us...> - 2011-07-18 02:20:24
|
Revision: 9288 http://supertuxkart.svn.sourceforge.net/supertuxkart/?rev=9288&view=rev Author: stephenjust Date: 2011-07-18 02:20:15 +0000 (Mon, 18 Jul 2011) Log Message: ----------- [stkaddons] Protect against XSS attacks by naughty translators (Bug #324) Modified Paths: -------------- stkaddons/trunk/addons-panel.php stkaddons/trunk/addons.php stkaddons/trunk/createAccount.php stkaddons/trunk/disabled.php stkaddons/trunk/include/allow.php stkaddons/trunk/include/coreAddon.php stkaddons/trunk/include/coreUser.php stkaddons/trunk/include/mail.php stkaddons/trunk/include/menu.php stkaddons/trunk/include/parseUpload.php stkaddons/trunk/include/security.php stkaddons/trunk/include/top.php stkaddons/trunk/include/xmlWrite.php stkaddons/trunk/index.php stkaddons/trunk/login.php stkaddons/trunk/manage-panel.php stkaddons/trunk/manage.php stkaddons/trunk/upload.php stkaddons/trunk/users.php Modified: stkaddons/trunk/addons-panel.php =================================================================== --- stkaddons/trunk/addons-panel.php 2011-07-17 15:47:27 UTC (rev 9287) +++ stkaddons/trunk/addons-panel.php 2011-07-18 02:20:15 UTC (rev 9288) @@ -41,11 +41,11 @@ $type = (isset($_GET['type']))? $_GET['type'] : NULL; if ($type != 'tracks' && $type != 'karts' && $type != 'users') - die(_('This page cannot be loaded because an invalid add-on type was provided.')); + die(htmlspecialchars(_('This page cannot be loaded because an invalid add-on type was provided.'))); if (!isset($_GET['action'])) $_GET['action'] = NULL; $action = $_GET['action']; if ($action != NULL && $action != 'file' && $action != 'remove' && $action != 'approve') - die(_('This page cannot be loaded because an invalid action was provided.')); + die(htmlspecialchars(_('This page cannot be loaded because an invalid action was provided.'))); if(isset($_GET['id'])) { Modified: stkaddons/trunk/addons.php =================================================================== --- stkaddons/trunk/addons.php 2011-07-17 15:47:27 UTC (rev 9287) +++ stkaddons/trunk/addons.php 2011-07-18 02:20:15 UTC (rev 9288) @@ -72,7 +72,7 @@ $edit_addon->selectById($_GET['name']); if ($edit_addon->setInformation('description',$_POST['description']) && $edit_addon->setInformation('designer',$_POST['designer'])) - echo _('Saved properties.').'<br />'; + echo htmlspecialchars(_('Saved properties.')).'<br />'; break; case 'rev': parseUpload($_FILES['file_addon'],true); @@ -81,30 +81,30 @@ if (!isset($_GET['type']) || !isset($_GET['name']) || !isset($_POST['fields'])) break; if (update_status($_GET['type'],$_GET['name'],$_POST['fields'])) - echo _('Saved status.').'<br />'; + echo htmlspecialchars(_('Saved status.')).'<br />'; break; case 'notes': if (!isset($_GET['type']) || !isset($_GET['name']) || !isset($_POST['fields'])) break; if (update_addon_notes($_GET['type'],$_GET['name'],$_POST['fields'])) - echo _('Saved notes.').'<br />'; + echo htmlspecialchars(_('Saved notes.')).'<br />'; break; case 'delete': $edit_addon = new coreAddon($_GET['type']); $edit_addon->selectById($_GET['name']); if ($edit_addon->remove()) - echo _('Deleted addon.').'<br />'; + echo htmlspecialchars(_('Deleted addon.')).'<br />'; break; case 'approve': case 'unapprove': if (approve_file((int)$_GET['id'],$_GET['save'])) - echo _('File updated.').'<br />'; + echo htmlspecialchars(_('File updated.')).'<br />'; break; case 'setimage': $edit_addon = new coreAddon($_GET['type']); $edit_addon->selectById($_GET['name']); if ($edit_addon->set_image((int)$_GET['id'])) - echo _('Set image.').'<br />'; + echo htmlspecialchars(_('Set image.')).'<br />'; break; case 'seticon': if ($_GET['type'] != 'karts') @@ -112,13 +112,13 @@ $edit_addon = new coreAddon($_GET['type']); $edit_addon->selectById($_GET['name']); if ($edit_addon->set_image((int)$_GET['id'],'icon')) - echo _('Set icon.').'<br />'; + echo htmlspecialchars(_('Set icon.')).'<br />'; break; case 'deletefile': $edit_addon = new coreAddon($_GET['type']); $edit_addon->selectById($_GET['name']); if ($edit_addon->delete_file((int)$_GET['id'])) - echo _('Deleted file.').'<br />'; + echo htmlspecialchars(_('Deleted file.')).'<br />'; break; } ?> Modified: stkaddons/trunk/createAccount.php =================================================================== --- stkaddons/trunk/createAccount.php 2011-07-17 15:47:27 UTC (rev 9287) +++ stkaddons/trunk/createAccount.php 2011-07-18 02:20:15 UTC (rev 9288) @@ -39,46 +39,46 @@ // Login form $login_form = '<form id="form" action="createAccount.php?action=submit" method="POST"> - '._('Username:').' ('._('Must be at least 4 characters long.').')<br /> + '.htmlspecialchars(_('Username:')).' ('.htmlspecialchars(_('Must be at least 4 characters long.')).')<br /> <input type="text" name="user" /><br /> - '._('Password:').' ('._('Must be at least 6 characters long.').')<br /> + '.htmlspecialchars(_('Password:')).' ('.htmlspecialchars(_('Must be at least 6 characters long.')).')<br /> <input type="password" id="pass1" name="pass1" /><br /> - '._('Password (confirm):').' <br /> + '.htmlspecialchars(_('Password (confirm):')).' <br /> <input type="password" id="pass2" name="pass2" /><br /> - '._('Name:').' <br /> + '.htmlspecialchars(_('Name:')).' <br /> <input type="text" id="name" name="name" /><br /> - '._('Email Address:').' <br /> + '.htmlspecialchars(_('Email Address:')).' <br /> <input type="text" name="mail" /><br /><br /> - '._('Terms:').'<br /> + '.htmlspecialchars(_('Terms:')).'<br /> <textarea rows="10" cols="80"> -=== '._('STK Addons Terms and Conditions')." ===\n\n". -_('You must agree to these terms in order to upload content to the STK Addons site.')."\n\n". +=== '.htmlspecialchars(_('STK Addons Terms and Conditions'))." ===\n\n". +htmlspecialchars(_('You must agree to these terms in order to upload content to the STK Addons site.'))."\n\n". _('The STK Addons service is designed to be a repository exclusively for Super Tux Kart addon content. All uploaded content must be intended for this purpose. When you upload your content, it will be available publicly on the internet, and will be made available in-game for download.')."\n\n". -_('Super Tux Kart aims to comply with the Debian Free Software Guidelines (DFSG). +htmlspecialchars(_('Super Tux Kart aims to comply with the Debian Free Software Guidelines (DFSG). TuxFamily.org also requires that content they host comply with open licenses. You may not upload content which is locked down with a restrictive license. Licenses such as CC-BY-SA 3.0, or other DFSG-compliant licenses are required. All content taken from third-party sources must be attributed properly, and must also be available under an open license. Licenses and attribution should be included in a "license.txt" file in each uploaded archive. Uploads without -proper licenses or attribution may be deleted without warning.')."\n\n". -_('Even with valid licenses and attribution, content may not contain any -of the following:')."\n". -' 1. '._('Profanity')."\n". -' 2. '._('Explicit images')."\n". -' 3. '._('Hateful messages and/or images')."\n". -' 4. '._('Any other content that may be unsuitable for children')."\n". -_('If any of your uploads are found to contain any of the above, your upload +proper licenses or attribution may be deleted without warning.'))."\n\n". +htmlspecialchars(_('Even with valid licenses and attribution, content may not contain any +of the following:'))."\n". +' 1. '.htmlspecialchars(_('Profanity'))."\n". +' 2. '.htmlspecialchars(_('Explicit images'))."\n". +' 3. '.htmlspecialchars(_('Hateful messages and/or images'))."\n". +' 4. '.htmlspecialchars(_('Any other content that may be unsuitable for children'))."\n". +htmlspecialchars(_('If any of your uploads are found to contain any of the above, your upload will be removed, your account may be removed, and any other content you uploaded -may be removed.')."\n\n". -_('By checking the box below, you are confirming that you understand these +may be removed.'))."\n\n". +htmlspecialchars(_('By checking the box below, you are confirming that you understand these terms. If you have any questions or comments regarding these terms, one of the -members of the development team would gladly assist you.'). +members of the development team would gladly assist you.')). '</textarea><br /> - <input type="checkbox" name="terms" /> '._('I agree to the above terms').'<br /> + <input type="checkbox" name="terms" /> '.htmlspecialchars(_('I agree to the above terms')).'<br /> <input type="submit" value="Submit" /> </form>'; @@ -94,22 +94,22 @@ if ($_GET['action'] == 'submit' && $_POST['pass1'] != $_POST['pass2']) { - echo '<span class="error">'._('Your passwords do not match.').'</span><br /><br />'; + echo '<span class="error">'.htmlspecialchars(_('Your passwords do not match.')).'</span><br /><br />'; echo $login_form; } elseif ($_GET['action'] == 'submit' && strlen($_POST['user']) < 4) { - echo '<span class="error">'._('Your username must be at least 4 characters long.').'</span><br /><br />'; + echo '<span class="error">'.htmlspecialchars(_('Your username must be at least 4 characters long.')).'</span><br /><br />'; echo $login_form; } elseif ($_GET['action'] == 'submit' && strlen($_POST['pass1']) < 6) { - echo '<span class="error">'._('Your password must be at least 6 characters long.').'</span><br /><br />'; + echo '<span class="error">'.htmlspecialchars(_('Your password must be at least 6 characters long.')).'</span><br /><br />'; echo $login_form; } elseif ($_GET['action'] == 'submit' && $_POST['terms'] != 'on') { - echo '<span class="error">'._('You must agree to the terms to register.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('You must agree to the terms to register.')).'</span><br />'; echo $login_form; } elseif($_GET['action'] == "submit" && $_POST['pass1'] == $_POST['pass2']) @@ -133,16 +133,16 @@ if ($createSql) { sendMail(mysql_real_escape_string($_POST['mail']), "newAccount", array($crypt, $_SERVER["PHP_SELF"], $user)); - echo _("Account creation was successful. Please activate your account using the link emailed to you."); + echo htmlspecialchars(_("Account creation was successful. Please activate your account using the link emailed to you.")); } else { - echo '<span class="error">'._('An error occurred while creating your account.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('An error occurred while creating your account.')).'</span><br />'; } } else { - echo '<span class="error">'._('Your username has already been used.')."</span><br /><br />"; + echo '<span class="error">'.htmlspecialchars(_('Your username has already been used.'))."</span><br /><br />"; echo $login_form; } } @@ -154,7 +154,7 @@ $handle = sql_query($reqSql); if (!$handle) die (mysql_error()); - echo _('Your account has been activated.').'<br />'; + echo htmlspecialchars(_('Your account has been activated.')).'<br />'; } else { Modified: stkaddons/trunk/disabled.php =================================================================== --- stkaddons/trunk/disabled.php 2011-07-17 15:47:27 UTC (rev 9287) +++ stkaddons/trunk/disabled.php 2011-07-18 02:20:15 UTC (rev 9288) @@ -37,7 +37,7 @@ <?php include('include/menu.php'); ?> <div id="content"> <span class="error"> - <?php echo _('This page is currently disabled.'); ?><br /> - <?php echo _('You will be redirected to the home page.'); ?> + <?php echo htmlspecialchars(_('This page is currently disabled.')); ?><br /> + <?php echo htmlspecialchars(_('You will be redirected to the home page.')); ?> </span> <?php include("include/footer.php"); exit; ?> \ No newline at end of file Modified: stkaddons/trunk/include/allow.php =================================================================== --- stkaddons/trunk/include/allow.php 2011-07-17 15:47:27 UTC (rev 9287) +++ stkaddons/trunk/include/allow.php 2011-07-18 02:20:15 UTC (rev 9288) @@ -99,9 +99,9 @@ break; } //support for translations : -_("root"); -_("supAdministrator"); -_("administrator"); -_("moderator"); -_("basicUser"); +htmlspecialchars(_("root")); +htmlspecialchars(_("supAdministrator")); +htmlspecialchars(_("administrator")); +htmlspecialchars(_("moderator")); +htmlspecialchars(_("basicUser")); ?> Modified: stkaddons/trunk/include/coreAddon.php =================================================================== --- stkaddons/trunk/include/coreAddon.php 2011-07-17 15:47:27 UTC (rev 9287) +++ stkaddons/trunk/include/coreAddon.php 2011-07-18 02:20:15 UTC (rev 9288) @@ -62,7 +62,7 @@ } if (mysql_num_rows($this->reqSql) == 0) { - echo _('The requested addon does not exist.').'<br />'; + echo htmlspecialchars(_('The requested addon does not exist.')).'<br />'; } $this->addonCurrent = sql_next($this->reqSql); @@ -247,7 +247,7 @@ $get_files_handle = sql_query($get_files_query); if (!$get_files_handle) { - echo '<span class="error">'._('Failed to find files associated with this addon.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('Failed to find files associated with this addon.')).'</span><br />'; return false; } $num_files = mysql_num_rows($get_files_handle); @@ -256,7 +256,7 @@ $get_file = mysql_fetch_assoc($get_files_handle); if (file_exists(UP_LOCATION.$get_file['file_path']) && !unlink(UP_LOCATION.$get_file['file_path'])) { - echo '<span class="error">'._('Failed to delete file:').' '.$get_file['file_path'].'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('Failed to delete file:')).' '.$get_file['file_path'].'</span><br />'; } } @@ -267,7 +267,7 @@ $remove_file_handle = sql_query($remove_file_query); if (!$remove_file_handle) { - echo '<span class="error">'._('Failed to remove file records for this addon.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('Failed to remove file records for this addon.')).'</span><br />'; } // Get revisions @@ -287,7 +287,7 @@ // Delete entry if (!sql_remove_where($this->addonType.'_revs', 'id', $getRevsResult['id'])) { - echo _('Failed to remove revision record.').'<br />'; + echo htmlspecialchars(_('Failed to remove revision record.')).'<br />'; return false; } } @@ -295,7 +295,7 @@ // Remove addon entry if (!sql_remove_where('addons', 'id', $this->addonCurrent['id'])) { - echo '<span class="error">'._('Failed to remove addon.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('Failed to remove addon.')).'</span><br />'; return false; } @@ -313,7 +313,7 @@ $addonUser = new coreUser(); $addonUser->selectById($this->addonCurrent['uploader']); if ($this->addonCurrent['designer'] == NULL) - $this->addonCurrent['designer'] = '<em>'._('Unknown').'</em>'; + $this->addonCurrent['designer'] = '<em>'.htmlspecialchars(_('Unknown')).'</em>'; if ($this->addonCurrent['description'] == NULL) $description = NULL; else @@ -340,38 +340,38 @@ if (User::$logged_in && $this->addonCurrent['uploader'] == $_SESSION['userid']) { echo '<br /><form method="POST" action="upload.php?type='.$this->addonType.'&name='.$this->addonCurrent['id'].'&action=file">'; - echo '<input type="submit" value="'._('Upload Image').'" />'; + echo '<input type="submit" value="'.htmlspecialchars(_('Upload Image')).'" />'; echo '</form>'; } echo '</div>'; // Display badges for status flags if ($this->addonCurrent['status'] & F_FEATURED) - echo '<span class="f_featured">'._('Featured').'</span>'; + echo '<span class="f_featured">'.htmlspecialchars(_('Featured')).'</span>'; if ($this->addonCurrent['status'] & F_ALPHA) - echo '<span class="f_alpha">'._('Alpha').'</span>'; + echo '<span class="f_alpha">'.htmlspecialchars(_('Alpha')).'</span>'; if ($this->addonCurrent['status'] & F_BETA) - echo '<span class="f_beta">'._('Beta').'</span>'; + echo '<span class="f_beta">'.htmlspecialchars(_('Beta')).'</span>'; if ($this->addonCurrent['status'] & F_RC) - echo '<span class="f_rc">'._('Release-Candidate').'</span>'; + echo '<span class="f_rc">'.htmlspecialchars(_('Release-Candidate')).'</span>'; if ($this->addonCurrent['status'] & F_DFSG) - echo '<span class="f_dfsg">'._('DFSG Compliant').'</span>'; + echo '<span class="f_dfsg">'.htmlspecialchars(_('DFSG Compliant')).'</span>'; echo '<br />'.$description.' <table class="info">'; if ($this->addonType == 'tracks' && $this->addonCurrent['props'] == 1) { - echo '<tr><td><strong>'._('Type:').'</strong></td><td>'._('Arena').'</td></tr>'; + echo '<tr><td><strong>'.htmlspecialchars(_('Type:')).'</strong></td><td>'.htmlspecialchars(_('Arena')).'</td></tr>'; } - echo '<tr><td><strong>'._('Designer:').'</strong></td><td>'.$this->addonCurrent['designer'].'</td></tr> - <tr><td><strong>'._('Upload date:').'</strong></td><td>'.$this->addonCurrent['revision_timestamp'].'</td></tr> - <tr><td><strong>'._('Submitted by:').'</strong></td><td><a href="users.php?user='.$addonUser->userCurrent['user'].'">'.$addonUser->userCurrent['name'].'</a></td></tr> - <tr><td><strong>'._('Revision:').'</strong></td><td>'.$this->addonCurrent['revision'].'</td></tr> - <tr><td><strong>'._('Compatible with:').'</strong></td><td>'.format_compat($this->addonCurrent['format'],$this->addonType).'</td></tr> + echo '<tr><td><strong>'.htmlspecialchars(_('Designer:')).'</strong></td><td>'.$this->addonCurrent['designer'].'</td></tr> + <tr><td><strong>'.htmlspecialchars(_('Upload date:')).'</strong></td><td>'.$this->addonCurrent['revision_timestamp'].'</td></tr> + <tr><td><strong>'.htmlspecialchars(_('Submitted by:')).'</strong></td><td><a href="users.php?user='.$addonUser->userCurrent['user'].'">'.$addonUser->userCurrent['name'].'</a></td></tr> + <tr><td><strong>'.htmlspecialchars(_('Revision:')).'</strong></td><td>'.$this->addonCurrent['revision'].'</td></tr> + <tr><td><strong>'.htmlspecialchars(_('Compatible with:')).'</strong></td><td>'.format_compat($this->addonCurrent['format'],$this->addonType).'</td></tr> </table></div>'; if ($this->addonCurrent['status'] & F_TEX_NOT_POWER_OF_2) { - echo _('Warning: This addon may not display correctly on some systems. It uses textures that may not be compatible with all video cards.')."<br />\n"; + echo htmlspecialchars(_('Warning: This addon may not display correctly on some systems. It uses textures that may not be compatible with all video cards.'))."<br />\n"; } // Get download path @@ -384,33 +384,33 @@ } else { - echo '<span class="error">'._('File not found.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('File not found.')).'</span><br />'; } } else { - echo '<span class="error">'._('File not found.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('File not found.')).'</span><br />'; } echo '<br /><br /><br /><br /> - <strong>'._('License:').'</strong><br /> + <strong>'.htmlspecialchars(_('License:')).'</strong><br /> <textarea name="license" rows="4" cols="60">'.strip_tags($this->addonCurrent['license']).'</textarea> <br /><br />'; // Print a permanent reference link (permalink) to this addon - echo '<h3>'._('Permalink').'</h3><br /> + echo '<h3>'.htmlspecialchars(_('Permalink')).'</h3><br /> <a href="'.$this->addonCurrent['permUrl'].'">'.$this->addonCurrent['permUrl'].'</a><br /><br />'; // List revisions $addonRevs = new coreAddon($this->addonType); $addonRevs->selectById($this->addonCurrent['id'],true); - echo '<h3>'._('Revisions').'</h3>'; + echo '<h3>'.htmlspecialchars(_('Revisions')).'</h3>'; // Add upload button to the right of the Revisions label if (User::$logged_in && $this->addonCurrent['uploader'] == $_SESSION['userid']) { echo '<div style="float: right;"><form method="POST" action="upload.php?type='.$this->addonType.'&name='.$this->addonCurrent['id'].'">'; - echo '<input type="submit" value="'._('Upload Revision').'" />'; + echo '<input type="submit" value="'.htmlspecialchars(_('Upload Revision')).'" />'; echo '</form></div>'; } @@ -449,17 +449,17 @@ if (file_exists(UP_LOCATION.$file_path)) { echo '<a href="'.DOWN_LOCATION.$file_path.'">'; - printf(_('Download revision %u'),$addonRevs->addonCurrent['revision']); + printf(htmlspecialchars(_('Download revision %u')),$addonRevs->addonCurrent['revision']); echo '</a>'; } else { - echo _('Revision').' '.$addonRevs->addonCurrent['revision'].' - '._('File not found.'); + echo htmlspecialchars(_('Revision')).' '.$addonRevs->addonCurrent['revision'].' - '.htmlspecialchars(_('File not found.')); } } else { - echo _('Revision').' '.$addonRevs->addonCurrent['revision'].' - '._('File not found.'); + echo htmlspecialchars(_('Revision')).' '.$addonRevs->addonCurrent['revision'].' - '.htmlspecialchars(_('File not found.')); } echo '</td></tr>'; $addonRevs->next(); @@ -467,12 +467,12 @@ echo '</table><br /><br />'; // Show list of images associated with this addon - echo '<h3>'._('Images').'</h3>'; + echo '<h3>'.htmlspecialchars(_('Images')).'</h3>'; // Add upload button to the right of the Images label if (User::$logged_in && $this->addonCurrent['uploader'] == $_SESSION['userid']) { echo '<div style="float: right;"><form method="POST" action="upload.php?type='.$this->addonType.'&name='.$this->addonCurrent['id'].'&action=file">'; - echo '<input type="submit" value="'._('Upload Image').'" />'; + echo '<input type="submit" value="'.htmlspecialchars(_('Upload Image')).'" />'; echo '</form></div>'; } echo '<br /><br />'; @@ -502,7 +502,7 @@ if (count($image_files) == 0) { - echo _('No images have been uploaded for this addon yet.').'<br />'; + echo htmlspecialchars(_('No images have been uploaded for this addon yet.')).'<br />'; } else { @@ -521,9 +521,9 @@ if ($_SESSION['role']['manageaddons']) { if ($source_file['approved'] == 1) - echo '<a href="'.$this->addonCurrent['permUrl'].'&save=unapprove&id='.$source_file['id'].'">'._('Unapprove').'</a>'; + echo '<a href="'.$this->addonCurrent['permUrl'].'&save=unapprove&id='.$source_file['id'].'">'.htmlspecialchars(_('Unapprove')).'</a>'; else - echo '<a href="'.$this->addonCurrent['permUrl'].'&save=approve&id='.$source_file['id'].'">'._('Approve').'</a>'; + echo '<a href="'.$this->addonCurrent['permUrl'].'&save=approve&id='.$source_file['id'].'">'.htmlspecialchars(_('Approve')).'</a>'; echo '<br />'; } if ($_SESSION['role']['manageaddons'] || $this->addonCurrent['uploader'] == $_SESSION['userid']) @@ -532,14 +532,14 @@ { if ($this->addonCurrent['icon'] != $source_file['id']) { - echo '<a href="'.$this->addonCurrent['permUrl'].'&save=seticon&id='.$source_file['id'].'">'._('Set Icon').'</a><br />'; + echo '<a href="'.$this->addonCurrent['permUrl'].'&save=seticon&id='.$source_file['id'].'">'.htmlspecialchars(_('Set Icon')).'</a><br />'; } } if ($this->addonCurrent['image'] != $source_file['id']) { - echo '<a href="'.$this->addonCurrent['permUrl'].'&save=setimage&id='.$source_file['id'].'">'._('Set Image').'</a><br />'; + echo '<a href="'.$this->addonCurrent['permUrl'].'&save=setimage&id='.$source_file['id'].'">'.htmlspecialchars(_('Set Image')).'</a><br />'; } - echo '<a href="'.$this->addonCurrent['permUrl'].'&save=deletefile&id='.$source_file['id'].'">'._('Delete File').'</a><br />'; + echo '<a href="'.$this->addonCurrent['permUrl'].'&save=deletefile&id='.$source_file['id'].'">'.htmlspecialchars(_('Delete File')).'</a><br />'; } } echo '</div>'; @@ -548,12 +548,12 @@ echo '<br /><br />'; // Show list of source files - echo '<h3>'._('Source Files').'</h3>'; + echo '<h3>'.htmlspecialchars(_('Source Files')).'</h3>'; // Add upload button to the right of the Source Files label if (User::$logged_in && $this->addonCurrent['uploader'] == $_SESSION['userid']) { echo '<div style="float: right;"><form method="POST" action="upload.php?type='.$this->addonType.'&name='.$this->addonCurrent['id'].'&action=file">'; - echo '<input type="submit" value="'._('Upload Source File').'" />'; + echo '<input type="submit" value="'.htmlspecialchars(_('Upload Source File')).'" />'; echo '</form></div>'; } echo '<br /><br />'; @@ -583,7 +583,7 @@ if (count($source_files) == 0) { - echo _('No source files have been uploaded for this addon yet.').'<br />'; + echo htmlspecialchars(_('No source files have been uploaded for this addon yet.')).'<br />'; } else { @@ -593,20 +593,20 @@ { echo '<tr>'; $approved = NULL; - if ($source_file['approved'] == 0) $approved = ' ('._('Not Approved').')'; + if ($source_file['approved'] == 0) $approved = ' ('.htmlspecialchars(_('Not Approved')).')'; echo '<td><strong>'; - printf(_('Source File %u'),$n); + printf(htmlspecialchars(_('Source File %u')),$n); echo '</strong>'.$approved.'</td>'; - echo '<td><a href="'.DOWN_LOCATION.$source_file['file_path'].'">'._('Download').'</a>'; + echo '<td><a href="'.DOWN_LOCATION.$source_file['file_path'].'">'.htmlspecialchars(_('Download')).'</a>'; if (User::$logged_in) { if ($_SESSION['role']['manageaddons']) { if ($source_file['approved'] == 1) - echo ' | <a href="'.$this->addonCurrent['permUrl'].'&save=unapprove&id='.$source_file['id'].'">'._('Unapprove').'</a>'; + echo ' | <a href="'.$this->addonCurrent['permUrl'].'&save=unapprove&id='.$source_file['id'].'">'.htmlspecialchars(_('Unapprove')).'</a>'; else - echo ' | <a href="'.$this->addonCurrent['permUrl'].'&save=approve&id='.$source_file['id'].'">'._('Approve').'</a>'; - echo ' | <a href="'.$this->addonCurrent['permUrl'].'&save=deletefile&id='.$source_file['id'].'">'._('Delete File').'</a><br />'; + echo ' | <a href="'.$this->addonCurrent['permUrl'].'&save=approve&id='.$source_file['id'].'">'.htmlspecialchars(_('Approve')).'</a>'; + echo ' | <a href="'.$this->addonCurrent['permUrl'].'&save=deletefile&id='.$source_file['id'].'">'.htmlspecialchars(_('Delete File')).'</a><br />'; } } $n++; @@ -629,40 +629,40 @@ echo '<hr /><h3>Configuration</h3>'; // Edit designer echo '<form name="changeProps" action="'.$this->addonCurrent['permUrl'].'&save=props" method="POST">'; - echo '<strong>'._('Designer:').'</strong><br />'; + echo '<strong>'.htmlspecialchars(_('Designer:')).'</strong><br />'; // FIXME: Find a cleaner way to check this - if ($this->addonCurrent['designer'] == '<em>'._('Unknown').'</em>') + if ($this->addonCurrent['designer'] == '<em>'.htmlspecialchars(_('Unknown')).'</em>') $this->addonCurrent['designer'] = NULL; echo '<input type="text" name="designer" id="designer_field" value="'.$this->addonCurrent['designer'].'" /><br />'; echo '<br />'; - printf('<strong>'._('Description:').'</strong> ('._('Max %u characters').')<br />','140'); + printf('<strong>'.htmlspecialchars(_('Description:')).'</strong> ('.htmlspecialchars(_('Max %u characters')).')<br />','140'); echo '<textarea name="description" id="desc_field" rows="4" cols="60" onKeyUp="textLimit(document.getElementById(\'desc_field\'),140);" onKeyDown="textLimit(document.getElementById(\'desc_field\'),140);">'.$this->addonCurrent['description'].'</textarea><br />'; - echo '<input type="submit" value="'._('Save Properties').'" />'; + echo '<input type="submit" value="'.htmlspecialchars(_('Save Properties')).'" />'; echo '</form><br />'; // Delete addon if ($this->addonCurrent['uploader'] == $_SESSION['userid'] || $_SESSION['role']['manageaddons']) - echo '<input type="button" value="'._('Delete Addon').'" onClick="confirm_delete(\''.$this->addonCurrent['permUrl'].'&save=delete\')" /><br /><br />'; + echo '<input type="button" value="'.htmlspecialchars(_('Delete Addon')).'" onClick="confirm_delete(\''.$this->addonCurrent['permUrl'].'&save=delete\')" /><br /><br />'; // Set status flags - echo '<strong>'._('Status Flags:').'</strong><br />'; + echo '<strong>'.htmlspecialchars(_('Status Flags:')).'</strong><br />'; echo '<form method="POST" action="'.$this->addonCurrent['permUrl'].'&save=status">'; echo '<table id="addon_flags" class="info"><thead><tr><th></th>'; if ($_SESSION['role']['manageaddons']) { - echo '<th>'.img_label(_('Approved')).'</th> - <th>'.img_label(_('Invisible')).'</th>'; + echo '<th>'.img_label(htmlspecialchars(_('Approved'))).'</th> + <th>'.img_label(htmlspecialchars(_('Invisible'))).'</th>'; } - echo '<th>'.img_label(_('Alpha')).'</th> - <th>'.img_label(_('Beta')).'</th> - <th>'.img_label(_('Release-Candidate')).'</th> - <th>'.img_label(_('Latest')).'</th>'; + echo '<th>'.img_label(htmlspecialchars(_('Alpha'))).'</th> + <th>'.img_label(htmlspecialchars(_('Beta'))).'</th> + <th>'.img_label(htmlspecialchars(_('Release-Candidate'))).'</th> + <th>'.img_label(htmlspecialchars(_('Latest'))).'</th>'; if ($_SESSION['role']['manageaddons']) - echo '<th>'.img_label(_('DFSG Compliant')).'</th> - <th>'.img_label(_('Featured')).'</th>'; - echo '<th>'.img_label(_('Invalid Textures')).'</th>'; + echo '<th>'.img_label(htmlspecialchars(_('DFSG Compliant'))).'</th> + <th>'.img_label(htmlspecialchars(_('Featured'))).'</th>'; + echo '<th>'.img_label(htmlspecialchars(_('Invalid Textures'))).'</th>'; echo '</tr></thead>'; $addonRevs = new coreAddon($this->addonType); $addonRevs->selectById($this->addonCurrent['id'],true); @@ -671,7 +671,7 @@ while ($addonRevs->addonCurrent) { echo '<tr><td style="text-align: center;">'; - printf(_('Rev %u:'),$addonRevs->addonCurrent['revision']); + printf(htmlspecialchars(_('Rev %u:')),$addonRevs->addonCurrent['revision']); echo '</td>'; if ($_SESSION['role']['manageaddons'] == true) @@ -800,11 +800,11 @@ } echo '</table>'; echo '<input type="hidden" name="fields" value="'.implode(',',$fields).'" />'; - echo '<input type="submit" value="'._('Save Changes').'" />'; + echo '<input type="submit" value="'.htmlspecialchars(_('Save Changes')).'" />'; echo '</form><br />'; // Moderator notes - echo '<strong>'._('Notes from Moderator to Submitter:').'</strong><br />'; + echo '<strong>'.htmlspecialchars(_('Notes from Moderator to Submitter:')).'</strong><br />'; if ($_SESSION['role']['manageaddons']) echo '<form method="POST" action="'.$this->addonCurrent['permUrl'].'&save=notes">'; $addonRevs = new coreAddon($this->addonType); @@ -812,7 +812,7 @@ $fields = array(); while ($addonRevs->addonCurrent) { - printf(_('Rev %u:').'<br />',$addonRevs->addonCurrent['revision']); + printf(htmlspecialchars(_('Rev %u:')).'<br />',$addonRevs->addonCurrent['revision']); echo '<textarea name="notes-'.$addonRevs->addonCurrent['revision'].'" id="notes-'.$addonRevs->addonCurrent['revision'].'" rows="4" cols="60" onKeyUp="textLimit(document.getElementById(\'notes-'.$addonRevs->addonCurrent['revision'].'\'),4000);" @@ -825,7 +825,7 @@ if ($_SESSION['role']['manageaddons']) { echo '<input type="hidden" name="fields" value="'.implode(',',$fields).'" />'; - echo '<input type="submit" value="'._('Save Notes').'" />'; + echo '<input type="submit" value="'.htmlspecialchars(_('Save Notes')).'" />'; echo '</form>'; } } @@ -860,14 +860,14 @@ // Make sure no addon with this id exists if(sql_exist($this->addonType.'_revs', 'id', $fileid)) { - echo '<span class="error">'._('The add-on you are trying to create already exists.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('The add-on you are trying to create already exists.')).'</span><br />'; return false; } // Check if we're creating a new add-on if (!sql_exist('addons', 'id', $addonid)) { - echo _('Creating a new add-on...').'<br />'; + echo htmlspecialchars(_('Creating a new add-on...')).'<br />'; $fields = array('id','type','name','uploader','designer','license'); $values = array($addonid,$this->addonType, mysql_real_escape_string($attributes['name']), @@ -887,13 +887,13 @@ } else { - echo _('This add-on already exists. Adding revision...').'<br />'; + echo htmlspecialchars(_('This add-on already exists. Adding revision...')).'<br />'; // Update the addon name if (!sql_update('addons', 'id',mysql_real_escape_string($addonid), 'name',mysql_real_escape_string($attributes['name']))) { - echo '<span class="error">'._('Failed to update the name record for this add-on.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('Failed to update the name record for this add-on.')).'</span><br />'; } // Update license file record if (!sql_update('addons', @@ -902,7 +902,7 @@ 'license', mysql_real_escape_string($attributes['license']))) { - echo '<span class="error">'._('Failed to update the license record for this add-on.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('Failed to update the license record for this add-on.')).'</span><br />'; } } @@ -912,7 +912,7 @@ $reqSql = sql_query($prevRevQuerySql); if (!$reqSql) { - echo '<span class="error">'._('Failed to check for previous add-on revisions.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('Failed to check for previous add-on revisions.')).'</span><br />'; return false; } if (mysql_num_rows($reqSql) == 0) @@ -994,7 +994,7 @@ { if ($type != 'karts' && $type != 'tracks') { - echo '<span class="error">'._('Invalid addon type.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('Invalid addon type.')).'</span><br />'; return false; } $addon_id = addon_id_clean($addon_id); @@ -1104,7 +1104,7 @@ return false; if ($type != 'karts' && $type != 'tracks') { - echo '<span class="error">'._('Invalid addon type.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('Invalid addon type.')).'</span><br />'; return false; } $addon_id = addon_id_clean($addon_id); @@ -1174,7 +1174,7 @@ switch ($filetype) { default: - return _('Unknown'); + return htmlspecialchars(_('Unknown')); case 'karts': if ($format == 1) { @@ -1184,7 +1184,7 @@ { return '0.7 - 0.7.2'; } - return _('Unknown'); + return htmlspecialchars(_('Unknown')); break; case 'tracks': if ($format == 1 || $format == 2) @@ -1195,10 +1195,10 @@ { return '0.7 - 0.7.2'; } - return _('Unknown'); + return htmlspecialchars(_('Unknown')); break; } - return _('Unknown'); + return htmlspecialchars(_('Unknown')); } function approve_file($file_id,$approve = 'approve') @@ -1210,7 +1210,7 @@ if (!$_SESSION['role']['manageaddons']) { - echo '<span class="error">'._('Insufficient permissions.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('Insufficient permissions.')).'</span><br />'; return false; } Modified: stkaddons/trunk/include/coreUser.php =================================================================== --- stkaddons/trunk/include/coreUser.php 2011-07-17 15:47:27 UTC (rev 9287) +++ stkaddons/trunk/include/coreUser.php 2011-07-18 02:20:15 UTC (rev 9288) @@ -84,18 +84,18 @@ function writeInformation() { echo '<h1>'.$this->userCurrent['user'].'</h1><br />'; - echo '<table><tr><td>'._('Username:').'</td><td>'.$this->userCurrent['user'].'</td></tr>'; - echo '<tr><td>'._('Registration Date:').'</td><td>'.$this->userCurrent['reg_date'].'</td></tr>'; - echo '<tr><td>'._('Real Name:').'</td><td>'.$this->userCurrent['name'].'</td></tr>'; - echo '<tr><td>'._('Role:').'</td><td>'._($this->userCurrent['role']).'</td></tr>'; + echo '<table><tr><td>'.htmlspecialchars(_('Username:')).'</td><td>'.$this->userCurrent['user'].'</td></tr>'; + echo '<tr><td>'.htmlspecialchars(_('Registration Date:')).'</td><td>'.$this->userCurrent['reg_date'].'</td></tr>'; + echo '<tr><td>'.htmlspecialchars(_('Real Name:')).'</td><td>'.$this->userCurrent['name'].'</td></tr>'; + echo '<tr><td>'.htmlspecialchars(_('Role:')).'</td><td>'.htmlspecialchars(_($this->userCurrent['role'])).'</td></tr>'; if (strlen($this->userCurrent['homepage'] > 0)) { - echo '<tr><td>'._('Homepage:').'</td><td><a href="'.$this->userCurrent['homepage'].'" >'.$this->userCurrent['homepage'].'</a></td></tr>'; + echo '<tr><td>'.htmlspecialchars(_('Homepage:')).'</td><td><a href="'.$this->userCurrent['homepage'].'" >'.$this->userCurrent['homepage'].'</a></td></tr>'; } echo '</table><br />'; // List of karts created by the current user - echo '<h3>'._('User\'s Karts').'</h3><br />'; + echo '<h3>'.htmlspecialchars(_('User\'s Karts')).'</h3><br />'; $kartSql = 'SELECT `a`.*, `r`.`status` FROM `'.DB_PREFIX.'addons` `a` LEFT JOIN `'.DB_PREFIX.'karts_revs` `r` @@ -105,7 +105,7 @@ $kartHandle = sql_query($kartSql); if (mysql_num_rows($kartHandle) == 0) { - echo _('This user has not uploaded any karts.').'<br />'; + echo htmlspecialchars(_('This user has not uploaded any karts.')).'<br />'; } else { @@ -131,7 +131,7 @@ echo '</ul><br />'; } - echo '<h3>'._('User\'s Tracks').'</h3><br />'; + echo '<h3>'.htmlspecialchars(_('User\'s Tracks')).'</h3><br />'; $trackSql = 'SELECT `a`.*, `r`.`status` FROM `'.DB_PREFIX.'addons` `a` LEFT JOIN `'.DB_PREFIX.'tracks_revs` `r` @@ -141,7 +141,7 @@ $trackHandle = sql_query($trackSql); if (mysql_num_rows($trackHandle) == 0) { - echo _('This user has not uploaded any tracks.').'<br />'; + echo htmlspecialchars(_('This user has not uploaded any tracks.')).'<br />'; } else { @@ -179,11 +179,11 @@ <h3>Configuration</h3><br /> <form enctype="multipart/form-data" action="?user='.$this->userCurrent['user'].'&action=config" method="POST" > <table>'; - echo '<tr><td>'._('Homepage:').'</td><td><input type="text" name="homepage" value="'.$this->userCurrent['homepage'].'" disabled /></td></tr>'; + echo '<tr><td>'.htmlspecialchars(_('Homepage:')).'</td><td><input type="text" name="homepage" value="'.$this->userCurrent['homepage'].'" disabled /></td></tr>'; // Edit role if allowed if($_SESSION['role']['manage'.$this->userCurrent['role'].'s'] == true || $_SESSION['userid'] == $this->userCurrent['id']) { - echo '<tr><td>'._('Role:').'</td><td>'; + echo '<tr><td>'.htmlspecialchars(_('Role:')).'</td><td>'; $role_disabled = NULL; if ($_SESSION['userid'] == $this->userCurrent['id']) $role_disabled = 'disabled'; @@ -200,7 +200,7 @@ } } echo '</select>'; - echo '</td></tr><tr><td>'._('User Activated:').'</td><td>'; + echo '</td></tr><tr><td>'.htmlspecialchars(_('User Activated:')).'</td><td>'; echo '<input type="checkbox" name="available" '; if($this->userCurrent['active'] == 1) { @@ -208,19 +208,19 @@ } echo '/></td></tr>'; } - echo '<tr><td></td><td><input type="submit" value="'._('Save Configuration').'" /></td></tr>'; + echo '<tr><td></td><td><input type="submit" value="'.htmlspecialchars(_('Save Configuration')).'" /></td></tr>'; echo '</table></form><br />'; if($this->userCurrent['id'] == $_SESSION['userid']) { - echo '<h3>'._('Change Password').'</h3><br /> + echo '<h3>'.htmlspecialchars(_('Change Password')).'</h3><br /> <form action="users.php?user='.$this->userCurrent['user'].'&action=password" method="POST"> - '._('Old Password:').'<br /> + '.htmlspecialchars(_('Old Password:')).'<br /> <input type="password" name="oldPass" /><br /> - '._('New Password:').' ('._('Must be at least 6 characters long.').')<br /> + '.htmlspecialchars(_('New Password:')).' ('.htmlspecialchars(_('Must be at least 6 characters long.')).')<br /> <input type="password" name="newPass" /><br /> - '._('New Password (Confirm):').'<br /> + '.htmlspecialchars(_('New Password (Confirm):')).'<br /> <input type="password" name="newPass2" /><br /> - <input type="submit" value="'._('Change Password').'" /> + <input type="submit" value="'.htmlspecialchars(_('Change Password')).'" /> </form>'; } } @@ -231,23 +231,23 @@ $succes =false; if($newPass != $_POST['newPass2']) { - echo '<span class="error">'._('Your passwords do not match.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('Your passwords do not match.')).'</span><br />'; return false; } if(hash('sha256',$_POST['oldPass']) != $this->userCurrent['pass']) { - echo '<span class="error">'._('Your old password is not correct.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('Your old password is not correct.')).'</span><br />'; return false; } if (strlen($_POST['newPass']) < 6) { - echo '<span class="error">'._('Your password must be at least 6 characters long.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('Your password must be at least 6 characters long.')).'</span><br />'; return false; } if($_SESSION['userid'] == $this->userCurrent['id']) { mysql_query("UPDATE `".DB_PREFIX."users` SET `pass` = '".hash('sha256',$_POST['newPass'])."' WHERE `id` =".$this->userCurrent['id']." LIMIT 1 ;"); - echo _('Your password is changed.').'<br />'; + echo htmlspecialchars(_('Your password is changed.')).'<br />'; $_SESSION['pass'] = hash('sha256',$_POST['newPass']); $succes=true; } Modified: stkaddons/trunk/include/mail.php =================================================================== --- stkaddons/trunk/include/mail.php 2011-07-17 15:47:27 UTC (rev 9287) +++ stkaddons/trunk/include/mail.php 2011-07-18 02:20:15 UTC (rev 9288) @@ -65,7 +65,7 @@ $mail_address = ConfigManager::get_config('list_email'); if (strlen($mail_address) == 0) { - echo '<span class="warning">'._('No moderator mailing-list email is set.').'</span><br />'; + echo '<span class="warning">'.htmlspecialchars(_('No moderator mailing-list email is set.')).'</span><br />'; return; } Modified: stkaddons/trunk/include/menu.php =================================================================== --- stkaddons/trunk/include/menu.php 2011-07-17 15:47:27 UTC (rev 9287) +++ stkaddons/trunk/include/menu.php 2011-07-18 02:20:15 UTC (rev 9288) @@ -40,11 +40,11 @@ <?php if(User::$logged_in) { - printf(_('Welcome, %s'),$_SESSION['real_name']); + printf(htmlspecialchars(_('Welcome, %s')),$_SESSION['real_name']); echo ' '; } echo '<a href="index.php">'; - echo _("Home"); + echo htmlspecialchars(_("Home")); echo '</a>'; if (basename(get_self()) == 'addons.php') @@ -52,38 +52,38 @@ if ($_GET['type'] == 'karts') { $link = 'addons.php?type=tracks'; - $text = _('Tracks'); + $text = htmlspecialchars(_('Tracks')); } else { $link = 'addons.php?type=karts'; - $text = _('Karts'); + $text = htmlspecialchars(_('Karts')); } echo '<a href="'.$link.'">'.$text.'</a>'; } if(User::$logged_in) { - echo'<a href="login.php?action=logout">'._("Log out").'</a>'; - echo'<a href="users.php">'._("Users").'</a>'; - echo'<a href="upload.php">'._("Upload").'</a>'; + echo'<a href="login.php?action=logout">'.htmlspecialchars(_("Log out")).'</a>'; + echo'<a href="users.php">'.htmlspecialchars(_("Users")).'</a>'; + echo'<a href="upload.php">'.htmlspecialchars(_("Upload")).'</a>'; if ($_SESSION['role']['managesettings']) - echo '<a href="manage.php">'._('Manage').'</a>'; + echo '<a href="manage.php">'.htmlspecialchars(_('Manage')).'</a>'; } else { echo'<a href="login.php">'; - echo _('Login'); + echo htmlspecialchars(_('Login')); echo '</a>'; } echo'<a href="about.php">'; - echo _('About'); + echo htmlspecialchars(_('About')); echo '</a>'; ?> </div> <div class="right"> <div id="lang-menu"> - <a class="menu_head" href="#"><?php echo _("Languages");?></a> + <a class="menu_head" href="#"><?php echo htmlspecialchars(_("Languages"));?></a> <ul class="menu_body"> <li><a href="<?php echo $page_url.'&lang=en_US'; ?>"><img src="image/flag/en.png" /></a></li> <li><a href="<?php echo $page_url.'&lang=de_DE'; ?>"><img src="image/flag/de.png" /></a></li> @@ -94,7 +94,7 @@ <li><a href="https://translations.launchpad.net/stk/stkaddons">Translate<br />STK-Addons</a></li> </ul> </div> - <a href="http://supertuxkart.sourceforge.net"> <?php echo _("STK Homepage");?></a> + <a href="http://supertuxkart.sourceforge.net"> <?php echo htmlspecialchars(_("STK Homepage"));?></a> </div> </div> </div> Modified: stkaddons/trunk/include/parseUpload.php =================================================================== --- stkaddons/trunk/include/parseUpload.php 2011-07-17 15:47:27 UTC (rev 9287) +++ stkaddons/trunk/include/parseUpload.php 2011-07-18 02:20:15 UTC (rev 9288) @@ -22,7 +22,7 @@ { if (!is_array($file)) { - echo '<span class="error">'._('Failed to upload your file.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('Failed to upload your file.')).'</span><br />'; return false; } @@ -57,7 +57,7 @@ if ($_POST['upload-type'] == 'image') { if (!move_uploaded_file($file['tmp_name'],UP_LOCATION.'images/'.$fileid.'.'.$fileext)) { - echo '<span class="error">'._('Failed to move uploaded file.'); + echo '<span class="error">'.htmlspecialchars(_('Failed to move uploaded file.')); return false; } @@ -72,20 +72,20 @@ $newImageHandle = sql_query($newImageQuery); if (!$newImageHandle) { - echo '<span class="error">'._('Failed to associate image file with addon.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('Failed to associate image file with addon.')).'</span><br />'; unlink(UP_LOCATION.'images/'.$fileid.'.'.$fileext); return false; } - echo _('Successfully uploaded image.').'<br />'; - echo '<span style="font-size: large"><a href="addons.php?type='.$_GET['type'].'&name='.$_GET['name'].'">'._('Continue.').'</a></span><br />'; + echo htmlspecialchars(_('Successfully uploaded image.')).'<br />'; + echo '<span style="font-size: large"><a href="addons.php?type='.$_GET['type'].'&name='.$_GET['name'].'">'.htmlspecialchars(_('Continue.')).'</a></span><br />'; return true; } // Move the archive to a working directory mkdir(UP_LOCATION.'temp/'.$fileid); if (!move_uploaded_file($file['tmp_name'],UP_LOCATION.'temp/'.$fileid.'/'.$fileid.'.'.$fileext)) { - echo '<span class="error">'._('Failed to move uploaded file.'); + echo '<span class="error">'.htmlspecialchars(_('Failed to move uploaded file.')); return false; } @@ -103,7 +103,7 @@ $xml_file = find_xml(UP_LOCATION.'temp/'.$fileid); $xml_dir = dirname($xml_file); if (!$xml_file) { - echo '<span class="error>'._('Invalid archive file. The archive must contain the addon\'s xml file.').'</span><br />'; + echo '<span class="error>'.htmlspecialchars(_('Invalid archive file. The archive must contain the addon\'s xml file.')).'</span><br />'; rmdir_recursive(UP_LOCATION.'temp/'.$fileid); return false; } @@ -119,7 +119,7 @@ } if (is_array($invalid_files) && count($invalid_files != 0)) { - echo '<span class="warning">'._('Some invalid files were found in the uploaded add-on. These files have been removed from the archive:').' '.implode(', ',$invalid_files).'</span><br />'; + echo '<span class="warning">'.htmlspecialchars(_('Some invalid files were found in the uploaded add-on. These files have been removed from the archive:')).' '.implode(', ',$invalid_files).'</span><br />'; } if ($_POST['upload-type'] != 'source') @@ -128,26 +128,26 @@ if (preg_match('/kart\.xml$/',$xml_file)) { $addon_type = 'karts'; - echo _('Upload was recognized as a kart.').'<br />'; + echo htmlspecialchars(_('Upload was recognized as a kart.')).'<br />'; } else { $addon_type = 'tracks'; - echo _('Upload was recognized as a track.').'<br />'; + echo htmlspecialchars(_('Upload was recognized as a track.')).'<br />'; } // Read XML $parsed_xml = read_xml($xml_file,$addon_type); if (!$parsed_xml) { - echo '<span class="error">'._('Failed to read the add-on\'s XML file. Please make sure you are using the latest version of the kart or track exporter.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('Failed to read the add-on\'s XML file. Please make sure you are using the latest version of the kart or track exporter.')).'</span><br />'; rmdir_recursive(UP_LOCATION.'temp/'.$fileid); return false; } // Write new XML file $fhandle = fopen($xml_file,'w'); if (!fwrite($fhandle,$parsed_xml['xml'])) { - echo '<span class="error">'._('Failed to write new XML file:').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('Failed to write new XML file:')).'</span><br />'; } fclose($fhandle); @@ -155,7 +155,7 @@ $license_file = find_license(UP_LOCATION.'temp/'.$fileid); if ($license_file === false) { - echo '<span class="error">'._('A valid License.txt file was not found. Please add a License.txt file to your archive and re-submit it.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('A valid License.txt file was not found. Please add a License.txt file to your archive and re-submit it.')).'</span><br />'; rmdir_recursive(UP_LOCATION.'temp/'.$fileid); return false; } @@ -199,7 +199,7 @@ $newImageHandle = sql_query($newImageQuery); if (!$newImageHandle) { - echo '<span class="error">'._('Failed to associate image file with addon.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('Failed to associate image file with addon.')).'</span><br />'; unlink(UP_LOCATION.'images/'.$fileid.'.'.$imageext[1]); $parsed_xml['attributes']['image'] = 0; } @@ -215,8 +215,8 @@ // Check to make sure all image dimensions are powers of 2 if (!image_check($xml_dir)) { - echo '<span class="warning">'._('Some images in this add-on do not have dimensions that are a power of two.') - .' '._('This may cause display errors on some video cards.').'</span><br />'; + echo '<span class="warning">'.htmlspecialchars(_('Some images in this add-on do not have dimensions that are a power of two.')) + .' '.htmlspecialchars(_('This may cause display errors on some video cards.')).'</span><br />'; $parsed_xml['attributes']['status'] += F_TEX_NOT_POWER_OF_2; } @@ -232,7 +232,7 @@ // Repack zip file if (!repack_zip($xml_dir,UP_LOCATION.$fileid.'.zip')) { - echo '<span class="error">'._('Failed to re-pack archive file.').'</span>'; + echo '<span class="error">'.htmlspecialchars(_('Failed to re-pack archive file.')).'</span>'; rmdir_recursive(UP_LOCATION.'temp/'.$fileid); return false; } @@ -248,7 +248,7 @@ $newAddonFileHandle = sql_query($newAddonFileQuery); if (!$newAddonFileHandle) { - echo '<span class="error">'._('Failed to associate archive file with addon.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('Failed to associate archive file with addon.')).'</span><br />'; unlink(UP_LOCATION.$fileid.'.zip'); if ($_POST['upload-type'] != 'source') $parsed_xml['attributes']['fileid'] = 0; @@ -263,8 +263,8 @@ if ($_POST['upload-type'] == 'source') { rmdir_recursive(UP_LOCATION.'temp/'.$fileid); - echo _('Successfully uploaded source archive.').'<br />'; - echo '<span style="font-size: large"><a href="addons.php?type='.$addon_type.'&name='.$addon_id.'">'._('Continue.').'</a></span><br />'; + echo htmlspecialchars(_('Successfully uploaded source archive.')).'<br />'; + echo '<span style="font-size: large"><a href="addons.php?type='.$addon_type.'&name='.$addon_id.'">'.htmlspecialchars(_('Continue.')).'</a></span><br />'; return true; } @@ -281,14 +281,14 @@ $addon->selectById($addon_id); if (!$addon->addonCurrent) { - echo '<span class="error">'._('You are trying to add a new revision of an addon that does not exist.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('You are trying to add a new revision of an addon that does not exist.')).'</span><br />'; rmdir_recursive(UP_LOCATION.'temp/'.$fileid); return false; } if ($_SESSION['userid'] != $addon->addonCurrent['uploader'] && !$_SESSION['role']['manageaddons']) { - echo '<span class="error">'._('You do not have the necessary permissions to perform this action.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('You do not have the necessary permissions to perform this action.')).'</span><br />'; rmdir_recursive(UP_LOCATION.'temp/'.$fileid); return false; } @@ -296,13 +296,13 @@ if (!$addon->addAddon($fileid,$addon_id,$parsed_xml['attributes'])) { - echo '<span class="error">'._('Failed to create add-on.').'</span><br />'; + echo '<span class="error">'.htmlspecialchars(_('Failed to ... [truncated message content] |