diff --git a/includes/controller/angeltypes_controller.php b/includes/controller/angeltypes_controller.php
index c0a49a4f..fe8607d7 100644
--- a/includes/controller/angeltypes_controller.php
+++ b/includes/controller/angeltypes_controller.php
@@ -72,7 +72,7 @@ function angeltype_delete_controller()
}
return [
- sprintf(__('Delete angeltype %s'), $angeltype->name),
+ sprintf(__('Delete angeltype %s'), htmlspecialchars($angeltype->name)),
AngelType_delete_view($angeltype),
];
}
@@ -154,7 +154,7 @@ function angeltype_edit_controller()
}
return [
- sprintf(__('Edit %s'), $angeltype->name),
+ sprintf(__('Edit %s'), htmlspecialchars((string) $angeltype->name)),
AngelType_edit_view($angeltype, $supporter_mode),
];
}
@@ -195,7 +195,7 @@ function angeltype_controller()
$isSupporter = !is_null($user_angeltype) && $user_angeltype->supporter;
return [
- sprintf(__('Team %s'), $angeltype->name),
+ sprintf(__('Team %s'), htmlspecialchars($angeltype->name)),
AngelType_view(
$angeltype,
$members,
@@ -324,7 +324,7 @@ function angeltypes_list_controller()
$angeltype->name = ''
- . $angeltype->name
+ . htmlspecialchars($angeltype->name)
. ' ';
$angeltype->actions = table_buttons($actions);
diff --git a/includes/controller/locations_controller.php b/includes/controller/locations_controller.php
index 629510ac..36bb8094 100644
--- a/includes/controller/locations_controller.php
+++ b/includes/controller/locations_controller.php
@@ -53,7 +53,7 @@ function location_controller(): array
$shiftCalendarRenderer = shiftCalendarRendererByShiftFilter($shiftsFilter);
return [
- $location->name,
+ htmlspecialchars($location->name),
location_view($location, $shiftsFilterRenderer, $shiftCalendarRenderer),
];
}
diff --git a/includes/controller/shifts_controller.php b/includes/controller/shifts_controller.php
index 54a86bd5..462f1c1a 100644
--- a/includes/controller/shifts_controller.php
+++ b/includes/controller/shifts_controller.php
@@ -194,7 +194,7 @@ function shift_edit_controller()
foreach ($angeltypes as $angeltype_id => $angeltype_name) {
$angel_types_spinner .= form_spinner(
'angeltype_count_' . $angeltype_id,
- $angeltype_name,
+ htmlspecialchars($angeltype_name),
$needed_angel_types[$angeltype_id],
[],
ScheduleShift::whereShiftId($shift->id)->first() ? true : false,
@@ -216,7 +216,10 @@ function shift_edit_controller()
form_text('start', __('Start:'), $start->format('Y-m-d H:i')),
form_text('end', __('End:'), $end->format('Y-m-d H:i')),
form_textarea('description', __('Additional description'), $description),
- form_info('', __('This description is for single shifts, otherwise please use the description in shift type.')),
+ form_info(
+ '',
+ __('This description is for single shifts, otherwise please use the description in shift type.')
+ ),
'' . __('Needed angels') . ' ',
$angel_types_spinner,
form_submit('submit', __('form.save')),
@@ -345,7 +348,7 @@ function shift_controller()
}
return [
- $shift->shiftType->name,
+ htmlspecialchars($shift->shiftType->name),
Shift_view($shift, $shifttype, $location, $angeltypes, $shift_signup_state),
];
}
diff --git a/includes/controller/user_angeltypes_controller.php b/includes/controller/user_angeltypes_controller.php
index 7eb06efc..d3739868 100644
--- a/includes/controller/user_angeltypes_controller.php
+++ b/includes/controller/user_angeltypes_controller.php
@@ -37,7 +37,7 @@ function user_angeltypes_unconfirmed_hint()
foreach ($unconfirmed_user_angeltypes as $user_angeltype) {
$unconfirmed_links[] = '' . $user_angeltype->angelType->name
+ . '">' . htmlspecialchars($user_angeltype->angelType->name)
. ' (+' . $user_angeltype->count . ')'
. ' ';
}
@@ -418,7 +418,7 @@ function user_angeltype_join_controller(AngelType $angeltype)
}
return [
- sprintf(__('Become a %s'), $angeltype->name),
+ sprintf(__('Become a %s'), htmlspecialchars($angeltype->name)),
UserAngelType_join_view($user, $angeltype),
];
}
diff --git a/includes/controller/users_controller.php b/includes/controller/users_controller.php
index 7662b424..bc1f3d53 100644
--- a/includes/controller/users_controller.php
+++ b/includes/controller/users_controller.php
@@ -91,7 +91,7 @@ function user_delete_controller()
}
return [
- sprintf(__('Delete %s'), $user_source->displayName),
+ sprintf(__('Delete %s'), htmlspecialchars($user_source->displayName)),
User_delete_view($user_source),
];
}
@@ -182,7 +182,7 @@ function user_edit_vouchers_controller()
}
return [
- sprintf(__('%s\'s vouchers'), $user_source->displayName),
+ sprintf(__('%s\'s vouchers'), htmlspecialchars($user_source->displayName)),
User_edit_vouchers_view($user_source),
];
}
@@ -244,7 +244,7 @@ function user_controller()
}
return [
- $user_source->displayName,
+ htmlspecialchars($user_source->displayName),
User_view(
$user_source,
auth()->can('admin_user'),
diff --git a/includes/engelsystem.php b/includes/engelsystem.php
index b156c68a..0c368dc8 100644
--- a/includes/engelsystem.php
+++ b/includes/engelsystem.php
@@ -23,7 +23,7 @@ if ($app->get('config')->get('maintenance')) {
http_response_code(503);
$url = $app->get(UrlGeneratorInterface::class);
$maintenance = file_get_contents(__DIR__ . '/../resources/views/layouts/maintenance.html');
- $maintenance = str_replace('%APP_NAME%', $app->get('config')->get('app_name'), $maintenance);
+ $maintenance = str_replace('%APP_NAME%', htmlspecialchars($app->get('config')->get('app_name')), $maintenance);
$maintenance = str_replace('%ASSETS_PATH%', $url->to(''), $maintenance);
echo $maintenance;
die();
diff --git a/includes/helper/message_helper.php b/includes/helper/message_helper.php
index 13526a63..d550fd44 100644
--- a/includes/helper/message_helper.php
+++ b/includes/helper/message_helper.php
@@ -17,11 +17,12 @@ function msg()
*
* @param string $msg
* @param bool $immediately
+ * @param bool $immediatelyRaw
* @return string
*/
-function info($msg, $immediately = false)
+function info($msg, $immediately = false, $immediatelyRaw = false)
{
- return alert(NotificationType::INFORMATION, $msg, $immediately);
+ return alert(NotificationType::INFORMATION, $msg, $immediately, $immediatelyRaw);
}
/**
@@ -29,11 +30,12 @@ function info($msg, $immediately = false)
*
* @param string $msg
* @param bool $immediately
+ * @param bool $immediatelyRaw
* @return string
*/
-function warning($msg, $immediately = false)
+function warning($msg, $immediately = false, $immediatelyRaw = false)
{
- return alert(NotificationType::WARNING, $msg, $immediately);
+ return alert(NotificationType::WARNING, $msg, $immediately, $immediatelyRaw);
}
/**
@@ -41,11 +43,12 @@ function warning($msg, $immediately = false)
*
* @param string $msg
* @param bool $immediately
+ * @param bool $immediatelyRaw
* @return string
*/
-function error($msg, $immediately = false)
+function error($msg, $immediately = false, $immediatelyRaw = false)
{
- return alert(NotificationType::ERROR, $msg, $immediately);
+ return alert(NotificationType::ERROR, $msg, $immediately, $immediatelyRaw);
}
/**
@@ -53,24 +56,27 @@ function error($msg, $immediately = false)
*
* @param string $msg
* @param bool $immediately
+ * @param bool $immediatelyRaw
* @return string
*/
-function success($msg, $immediately = false)
+function success($msg, $immediately = false, $immediatelyRaw = false)
{
- return alert(NotificationType::MESSAGE, $msg, $immediately);
+ return alert(NotificationType::MESSAGE, $msg, $immediately, $immediatelyRaw);
}
/**
* Renders an alert message with the given alert-* class or sets it in session
*
- * @see \Engelsystem\Controllers\HasUserNotifications
- *
* @param NotificationType $type
* @param string $msg
* @param bool $immediately
+ * @param bool $immediatelyRaw
* @return string
+ *
+ * @see \Engelsystem\Controllers\HasUserNotifications
+ *
*/
-function alert(NotificationType $type, $msg, $immediately = false)
+function alert(NotificationType $type, $msg, $immediately = false, $immediatelyRaw = false)
{
if (empty($msg)) {
return '';
@@ -87,6 +93,7 @@ function alert(NotificationType $type, $msg, $immediately = false)
['danger', 'warning', 'info', 'success'],
$type->value
);
+ $msg = $immediatelyRaw ? $msg : htmlspecialchars($msg);
return '' . $msg . '
';
}
diff --git a/includes/pages/admin_free.php b/includes/pages/admin_free.php
index 43d604e2..72769a92 100644
--- a/includes/pages/admin_free.php
+++ b/includes/pages/admin_free.php
@@ -100,9 +100,9 @@ function admin_free()
'name' => User_Nick_render($usr) . User_Pronoun_render($usr),
'shift_state' => User_shift_state_render($usr),
'last_shift' => User_last_shift_render($usr),
- 'dect' => sprintf('%1$s ', $usr->contact->dect),
+ 'dect' => sprintf('%1$s ', htmlspecialchars((string) $usr->contact->dect)),
'email' => $usr->settings->email_human
- ? sprintf('%1$s ', $email)
+ ? sprintf('%1$s ', htmlspecialchars((string) $email))
: icon('eye-slash'),
'actions' =>
auth()->can('admin_user')
diff --git a/includes/pages/admin_groups.php b/includes/pages/admin_groups.php
index f8c58c97..7086ebf2 100644
--- a/includes/pages/admin_groups.php
+++ b/includes/pages/admin_groups.php
@@ -31,11 +31,11 @@ function admin_groups()
$privileges_html = [];
foreach ($privileges as $privilege) {
- $privileges_html[] = $privilege['name'];
+ $privileges_html[] = htmlspecialchars($privilege['name']);
}
$groups_table[] = [
- 'name' => $group->name,
+ 'name' => htmlspecialchars($group->name),
'privileges' => join(', ', $privileges_html),
'actions' => button(
url(
@@ -72,15 +72,15 @@ function admin_groups()
foreach ($privileges as $privilege) {
$privileges_form[] = form_checkbox(
'privileges[]',
- $privilege->description . ' (' . $privilege->name . ')',
+ htmlspecialchars($privilege->description . ' (' . $privilege->name . ')'),
$privilege->selected != '',
$privilege->id,
- 'privilege-' . $privilege->name
+ 'privilege-' . htmlspecialchars($privilege->name)
);
}
$privileges_form[] = form_submit('submit', __('form.save'));
- $html .= page_with_title(__('Edit group') . ' ' . $group->name, [
+ $html .= page_with_title(__('Edit group') . ' ' . htmlspecialchars($group->name), [
form(
$privileges_form,
url('/admin-groups', ['action' => 'save', 'id' => $group->id])
diff --git a/includes/pages/admin_shifts.php b/includes/pages/admin_shifts.php
index e7bb0880..1b0e402e 100644
--- a/includes/pages/admin_shifts.php
+++ b/includes/pages/admin_shifts.php
@@ -328,8 +328,8 @@ function admin_shifts()
. ''
. form_spinner(
'angeltype_count_' . $type->id,
- $type->name,
+ htmlspecialchars($type->name),
$needed_angel_types[$type->id],
[
'radio-name' => 'angelmode',
diff --git a/includes/pages/admin_user.php b/includes/pages/admin_user.php
index 26e07f89..6445987a 100644
--- a/includes/pages/admin_user.php
+++ b/includes/pages/admin_user.php
@@ -49,7 +49,7 @@ function admin_user()
$html .= ' ' . __('If the angel is active, it can claim a goodie. If goodie is set to \'Yes\', the angel already got their goodie.');
}
}
- $html .= '
';
+ $html .= '
';
$html .= '
';
- $html .= '
';
+ $html .= '
';
$html .= form_info('', __('Please visit the angeltypes page or the users profile to manage the users angeltypes.'));
@@ -148,14 +160,18 @@ function admin_user()
. '" method="post">' . "\n";
$html .= form_csrf();
$html .= '
' . "\n" . '
' . "\n";
+ $html .= '' . "\n" . '
' . "\n";
$html .= '
' . __('form.save') . ' ' . "\n";
$html .= '';
- $html .= '
';
+ $html .= '
';
/** @var Group $my_highest_group */
$my_highest_group = $user->groups()->orderByDesc('id')->first();
@@ -183,7 +199,9 @@ function admin_user()
$html .= '
'
. '' . $group->name . '
';
+ . ' />
'
+ . htmlspecialchars($group->name)
+ . ' ' . __('form.save') . ' ' . "\n";
$html .= '';
- $html .= '' . $user->api_key . '
';
}
-/**
- * @param array $array
- * @return array
- */
-function get_ids_from_array($array)
-{
- return $array['id'];
-}
-
/**
* @param array $items
* @param array $selected
@@ -422,7 +413,7 @@ function make_select($items, $selected, $name, $title = null, $ownSelect = [])
$htmlItems[] = ''
. '' . $i['name'] . ' '
+ . '>' . htmlspecialchars($i['name']) . ' '
. (!isset($i['enabled']) || $i['enabled'] ? '' : icon('mortarboard-fill'))
. '
';
}
diff --git a/includes/sys_form.php b/includes/sys_form.php
index 53967a2d..9970fc9c 100644
--- a/includes/sys_form.php
+++ b/includes/sys_form.php
@@ -46,31 +46,6 @@ function form_spinner(string $name, string $label, int $value, array $data_attri
', $id);
}
-/**
- * Render a bootstrap datepicker
- *
- * @param string $name Name of the parameter
- * @param string $label Label
- * @param int|Carbon $value Unix Timestamp
- * @param string $start_date Earliest possible date
- * @param string $end_date
- * @return string HTML
- */
-function form_date($name, $label, $value, $start_date = '', $end_date = '')
-{
- $dom_id = $name . '-date';
- $value = ($value instanceof Carbon) ? $value->getTimestamp() : $value;
- $value = is_numeric($value) ? date('Y-m-d', $value) : '';
- $start_date = is_numeric($start_date) ? date('Y-m-d', $start_date) : '';
- $end_date = is_numeric($end_date) ? date('Y-m-d', $end_date) : '';
-
- return form_element(
- $label,
- ''
- . ''
. $label
. '
';
}
/**
- * Rendert einen Radio
+ * Renders a radio button
*
* @param string $name
* @param string $label
@@ -233,67 +191,6 @@ function form_text($name, $label, $value, $disabled = false, $maxlength = null,
);
}
-/**
- * Renders a text input with placeholder instead of label.
- *
- * @param string $name Input name
- * @param string $placeholder Placeholder
- * @param string $value The value
- * @param boolean $disabled Is the field enabled?
- * @return string
- */
-function form_text_placeholder($name, $placeholder, $value, $disabled = false)
-{
- $disabled = $disabled ? ' disabled="disabled"' : '';
- return form_element(
- '',
- '' . $row . ' ';
+ $html .= ''
+ . htmlspecialchars($row)
+ . ' ';
} else {
- $html .= '' . $row . ' ';
+ $html .= ''
+ . htmlspecialchars($row)
+ . ' ';
}
}
$html .= '';
diff --git a/includes/sys_menu.php b/includes/sys_menu.php
index eb33f89e..1eebcf88 100644
--- a/includes/sys_menu.php
+++ b/includes/sys_menu.php
@@ -69,15 +69,22 @@ function make_navigation()
}
$title = ((array) $options)[0];
- $menu[] = toolbar_item_link(url(str_replace('_', '-', $menu_page)), '', $title, $menu_page == $page);
+ $menu[] = toolbar_item_link(
+ url(str_replace('_', '-', $menu_page)),
+ '',
+ $title,
+ $menu_page == $page
+ );
}
$menu = make_location_navigation($menu);
$admin_menu = [];
$admin_pages = [
- // path => name
- // path => [name, permission]
+ // Examples:
+ // path => name,
+ // path => [name, permission],
+
'admin_arrive' => 'Arrive angels',
'admin_active' => 'Active angels',
'users' => ['All Angels', 'admin_user'],
@@ -104,7 +111,7 @@ function make_navigation()
$title = ((array) $options)[0];
$admin_menu[] = toolbar_dropdown_item(
url(str_replace('_', '-', $menu_page)),
- __($title),
+ htmlspecialchars(__($title)),
$menu_page == $page
);
}
diff --git a/includes/sys_page.php b/includes/sys_page.php
index a5eb7142..b0e7b492 100644
--- a/includes/sys_page.php
+++ b/includes/sys_page.php
@@ -2,9 +2,7 @@
use Engelsystem\Helpers\Carbon;
use Engelsystem\Http\Exceptions\HttpTemporaryRedirect;
-use Engelsystem\Models\BaseModel;
use Engelsystem\ValidationResult;
-use Illuminate\Support\Collection;
/**
* Provide page/request helper functions
@@ -63,41 +61,6 @@ function throw_redirect($url)
throw new HttpTemporaryRedirect($url);
}
-/**
- * Echoes given output and dies.
- *
- * @param string $output String to display
- */
-function raw_output($output = '')
-{
- echo $output;
- die();
-}
-
-/**
- * Helper function for transforming list of entities into array for select boxes.
- *
- * @param array|Collection $data The data array
- * @param string $key_name name of the column to use as id/key
- * @param string $value_name name of the column to use as displayed value
- *
- * @return array|Collection
- */
-function select_array($data, $key_name, $value_name)
-{
- if ($data instanceof Collection) {
- return $data->mapWithKeys(function (BaseModel $model) use ($key_name, $value_name) {
- return [$model->{$key_name} => $model->{$value_name}];
- });
- }
-
- $return = [];
- foreach ($data as $value) {
- $return[$value[$key_name]] = $value[$value_name];
- }
- return $return;
-}
-
/**
* Returns an int[] from given request param name.
*
@@ -185,23 +148,6 @@ function strip_request_item($name, $default_value = null)
return $default_value;
}
-/**
- * Returns REQUEST value or default value (null) if not set.
- *
- * @param string $name
- * @param string|null $default_value
- * @return mixed|null
- */
-function strip_request_tags($name, $default_value = null)
-{
- $request = request();
- if ($request->has($name)) {
- return strip_tags($request->input($name));
- }
-
- return $default_value;
-}
-
/**
* Testet, ob der angegebene REQUEST Wert ein Integer ist, bzw.
* eine ID sein könnte.
diff --git a/includes/sys_template.php b/includes/sys_template.php
index bad1cf2a..56df96e2 100644
--- a/includes/sys_template.php
+++ b/includes/sys_template.php
@@ -72,17 +72,6 @@ function tabs($tabs, $selected = 0)
]);
}
-/**
- * Display muted (grey) text.
- *
- * @param string $text
- * @return string
- */
-function mute($text)
-{
- return '' . $text . ' ';
-}
-
/**
* Renders a bootstrap label with given content and class.
*
@@ -188,7 +177,7 @@ function toolbar_item_link($href, $icon, $label, $active = false)
return ''
. ''
. ($icon != '' ? ' '
. ' ';
}
@@ -196,11 +185,11 @@ function toolbar_item_link($href, $icon, $label, $active = false)
function toolbar_dropdown_item(string $href, string $label, bool $active, string $icon = null): string
{
return strtr(
- '{icon} {label} {icon} {label} '
- . ($angeltype->restricted ? icon('mortarboard-fill') : '') . $angeltype->name
+ . ($angeltype->restricted ? icon('mortarboard-fill') : '') . htmlspecialchars($angeltype->name)
. ' ';
}
@@ -63,7 +63,7 @@ function AngelType_delete_view(AngelType $angeltype)
$link = button($angeltype->id
? url('/angeltypes', ['action' => 'view', 'angeltype_id' => $angeltype->id])
: url('/angeltypes'), icon('chevron-left'), 'btn-sm');
- return page_with_title($link . ' ' . sprintf(__('Delete angeltype %s'), $angeltype->name), [
+ return page_with_title($link . ' ' . sprintf(__('Delete angeltype %s'), htmlspecialchars($angeltype->name)), [
info(sprintf(__('Do you want to delete angeltype %s?'), $angeltype->name), true),
form([
buttons([
@@ -87,7 +87,11 @@ function AngelType_edit_view(AngelType $angeltype, bool $supporter_mode)
? url('/angeltypes', ['action' => 'view', 'angeltype_id' => $angeltype->id])
: url('/angeltypes'), icon('chevron-left'), 'btn-sm');
return page_with_title(
- $link . ' ' . ($angeltype->id ? sprintf(__('Edit %s'), $angeltype->name) : __('Create angeltype')),
+ $link . ' ' . (
+ $angeltype->id ?
+ sprintf(__('Edit %s'), htmlspecialchars((string) $angeltype->name)) :
+ __('Create angeltype')
+ ),
[
$angeltype->id ?
buttons([
@@ -96,7 +100,7 @@ function AngelType_edit_view(AngelType $angeltype, bool $supporter_mode)
msg(),
form([
$supporter_mode
- ? form_info(__('general.name'), $angeltype->name)
+ ? form_info(__('general.name'), htmlspecialchars($angeltype->name))
: form_text('name', __('general.name'), $angeltype->name),
$supporter_mode
? form_info(__('angeltypes.restricted'), $angeltype->restricted ? __('Yes') : __('No'))
@@ -267,7 +271,7 @@ function AngelType_view_members(AngelType $angeltype, $members, $admin_user_ange
foreach ($members as $member) {
$member->name = User_Nick_render($member) . User_Pronoun_render($member);
if (config('enable_dect')) {
- $member['dect'] = $member->contact->dect;
+ $member['dect'] = htmlspecialchars((string) $member->contact->dect);
}
if ($angeltype->requires_driver_license) {
$member['wants_to_drive'] = icon_bool($member->license->wantsToDrive());
@@ -430,7 +434,7 @@ function AngelType_view(
) {
$link = button(url('/angeltypes'), icon('chevron-left'), 'btn-sm');
return page_with_title(
- $link . ' ' . sprintf(__('Team %s'), $angeltype->name),
+ $link . ' ' . sprintf(__('Team %s'), htmlspecialchars($angeltype->name)),
[
AngelType_view_buttons($angeltype, $user_angeltype, $admin_angeltypes, $supporter, $user_driver_license, $user),
msg(),
@@ -493,7 +497,7 @@ function AngelType_view_info(
$info[] = '' . __('general.description') . ' ';
$parsedown = new Parsedown();
if ($angeltype->description != '') {
- $info[] = $parsedown->parse($angeltype->description);
+ $info[] = $parsedown->parse(htmlspecialchars($angeltype->description));
}
list($supporters, $members_confirmed, $members_unconfirmed) = AngelType_view_members(
@@ -567,9 +571,20 @@ function AngelType_view_info(
function AngelTypes_render_contact_info(AngelType $angeltype)
{
$info = [
- __('general.name') => [$angeltype->contact_name, $angeltype->contact_name],
- __('general.dect') => config('enable_dect') ? [sprintf('%1$s ', $angeltype->contact_dect), $angeltype->contact_dect] : null,
- __('general.email') => [sprintf('%1$s ', $angeltype->contact_email), $angeltype->contact_email],
+ __('general.name') => [
+ htmlspecialchars($angeltype->contact_name),
+ htmlspecialchars($angeltype->contact_name),
+ ],
+ __('general.dect') => config('enable_dect')
+ ? [
+ sprintf('%1$s ', htmlspecialchars($angeltype->contact_dect)),
+ htmlspecialchars($angeltype->contact_dect),
+ ]
+ : null,
+ __('general.email') => [
+ sprintf('%1$s ', htmlspecialchars($angeltype->contact_email)),
+ htmlspecialchars($angeltype->contact_email),
+ ],
];
$contactInfo = [];
foreach ($info as $name => $data) {
diff --git a/includes/view/Locations_view.php b/includes/view/Locations_view.php
index 09906fbe..ef402d03 100644
--- a/includes/view/Locations_view.php
+++ b/includes/view/Locations_view.php
@@ -24,13 +24,16 @@ function location_view(Location $location, ShiftsFilterRenderer $shiftsFilterRen
if ($location->description) {
$description = '' . __('general.description') . ' ';
$parsedown = new Parsedown();
- $description .= $parsedown->parse($location->description);
+ $description .= $parsedown->parse(htmlspecialchars($location->description));
}
$dect = '';
if (config('enable_dect') && $location->dect) {
$dect = heading(__('Contact'), 3)
- . description([__('general.dect') => sprintf('%1$s ', $location->dect)]);
+ . description([__('general.dect') => sprintf(
+ '%1$s ',
+ htmlspecialchars($location->dect)
+ )]);
}
$tabs = [];
@@ -39,7 +42,7 @@ function location_view(Location $location, ShiftsFilterRenderer $shiftsFilterRen
''
. ''
. '
',
- $location->map_url
+ htmlspecialchars($location->map_url)
);
}
@@ -60,7 +63,7 @@ function location_view(Location $location, ShiftsFilterRenderer $shiftsFilterRen
$link = button(url('/admin/locations'), icon('chevron-left'), 'btn-sm');
return page_with_title(
(auth()->can('admin_locations') ? $link . ' ' : '') .
- icon('pin-map-fill') . $location->name,
+ icon('pin-map-fill') . htmlspecialchars($location->name),
[
$assignNotice,
auth()->can('admin_locations') ? buttons([
@@ -85,8 +88,10 @@ function location_view(Location $location, ShiftsFilterRenderer $shiftsFilterRen
function location_name_render(Location $location)
{
if (auth()->can('view_locations')) {
- return '' . icon('pin-map-fill') . $location->name . ' ';
+ return ''
+ . icon('pin-map-fill') . htmlspecialchars($location->name)
+ . ' ';
}
- return icon('pin-map-fill') . $location->name;
+ return icon('pin-map-fill') . htmlspecialchars($location->name);
}
diff --git a/includes/view/PublicDashboard_view.php b/includes/view/PublicDashboard_view.php
index bb47e2d9..c40448f4 100644
--- a/includes/view/PublicDashboard_view.php
+++ b/includes/view/PublicDashboard_view.php
@@ -19,7 +19,9 @@ function public_dashboard_view($stats, $free_shifts, $highlighted_news)
if ($highlighted_news->isNotEmpty()) {
$first_news = $highlighted_news->first();
$news = div('alert alert-warning text-center', [
- '' . $first_news->title . ' '
+ . '' . htmlspecialchars($first_news->title) . ' '
+ . ' ',
]);
}
@@ -93,17 +95,17 @@ function public_dashboard_shift_render($shift)
$panel_body = icon('clock-history') . $shift['start'] . ' - ' . $shift['end'];
$panel_body .= ' (' . $shift['duration'] . ' h)';
- $panel_body .= ''
- . $needed_angels['need'] . ' × ' . $needed_angels['angeltype_name']
+ . $needed_angels['need'] . ' × ' . htmlspecialchars($needed_angels['angeltype_name'])
. ' ';
}
diff --git a/includes/view/ShiftCalendarShiftRenderer.php b/includes/view/ShiftCalendarShiftRenderer.php
index 89354d03..7d0358a8 100644
--- a/includes/view/ShiftCalendarShiftRenderer.php
+++ b/includes/view/ShiftCalendarShiftRenderer.php
@@ -29,7 +29,7 @@ class ShiftCalendarShiftRenderer
{
$info_text = '';
if ($shift->title != '') {
- $info_text = icon('info-circle') . $shift->title . '' . $needed_angeltypes_count . ' ' . $shift_heading;
diff --git a/includes/view/ShiftEntry_view.php b/includes/view/ShiftEntry_view.php
index 9ef090e5..1979a27d 100644
--- a/includes/view/ShiftEntry_view.php
+++ b/includes/view/ShiftEntry_view.php
@@ -19,7 +19,7 @@ function ShiftEntry_delete_view_admin(Shift $shift, AngelType $angeltype, User $
return page_with_title(ShiftEntry_delete_title(), [
info(sprintf(
__('Do you want to sign off %s from shift %s from %s to %s as %s?'),
- User_Nick_render($signoff_user),
+ $signoff_user->displayName,
$shift->shiftType->name,
$shift->start->format(__('general.datetime')),
$shift->end->format(__('general.datetime')),
@@ -92,7 +92,7 @@ function ShiftEntry_create_view_admin(
) {
$start = $shift->start->format(__('general.datetime'));
return page_with_title(
- ShiftEntry_create_title() . ': ' . $shift->shiftType->name
+ ShiftEntry_create_title() . ': ' . htmlspecialchars($shift->shiftType->name)
. ' %c ',
[
Shift_view_header($shift, $location),
@@ -125,7 +125,7 @@ function ShiftEntry_create_view_supporter(
) {
$start = $shift->start->format(__('general.datetime'));
return page_with_title(
- ShiftEntry_create_title() . ': ' . $shift->shiftType->name
+ ShiftEntry_create_title() . ': ' . htmlspecialchars($shift->shiftType->name)
. ' %c ',
[
Shift_view_header($shift, $location),
@@ -154,7 +154,7 @@ function ShiftEntry_create_view_user(Shift $shift, Location $location, AngelType
{
$start = $shift->start->format(__('general.datetime'));
return page_with_title(
- ShiftEntry_create_title() . ': ' . $shift->shiftType->name
+ ShiftEntry_create_title() . ': ' . htmlspecialchars($shift->shiftType->name)
. ' %c ',
[
Shift_view_header($shift, $location),
@@ -230,9 +230,9 @@ function ShiftEntry_edit_view(
form([
form_info(__('Angel:'), User_Nick_render($angel)),
form_info(__('Date, Duration:'), $date),
- form_info(__('Location:'), $location),
- form_info(__('Title:'), $title),
- form_info(__('Type:'), $type),
+ form_info(__('Location:'), htmlspecialchars($location)),
+ form_info(__('Title:'), htmlspecialchars($title)),
+ form_info(__('Type:'), htmlspecialchars($type)),
$comment,
join('', $freeload_form),
form_submit('submit', __('form.save')),
diff --git a/includes/view/Shifts_view.php b/includes/view/Shifts_view.php
index 7508fc14..5cc6a8eb 100644
--- a/includes/view/Shifts_view.php
+++ b/includes/view/Shifts_view.php
@@ -24,8 +24,8 @@ function Shift_view_header(Shift $shift, Location $location)
'' . __('title.title') . ' ',
''
. ($shift->url != ''
- ? '' . $shift->title . ' '
- : $shift->title)
+ ? '' . htmlspecialchars($shift->title) . ' '
+ : htmlspecialchars($shift->title))
. '
',
]),
div('col-sm-3 col-xs-6', [
@@ -98,7 +98,7 @@ function Shift_signup_button_render(Shift $shift, AngelType $angeltype)
url('/angeltypes', ['action' => 'view', 'angeltype_id' => $angeltype->id]),
sprintf(
__('Become %s'),
- $angeltype->name
+ htmlspecialchars($angeltype->name)
)
);
}
@@ -175,8 +175,15 @@ function Shift_view(
$buttons = [
$shift_admin ? button(shift_edit_link($shift), icon('pencil') . __('edit')) : '',
$shift_admin ? button(shift_delete_link($shift), icon('trash') . __('delete')) : '',
- $admin_shifttypes ? button(url('/admin/shifttypes/' . $shifttype->id), $shifttype->name) : '',
- $admin_locations ? button(location_link($location), icon('pin-map-fill') . $location->name) : '',
+ $admin_shifttypes
+ ? button(url('/admin/shifttypes/' . $shifttype->id), htmlspecialchars($shifttype->name))
+ : '',
+ $admin_locations
+ ? button(
+ location_link($location),
+ icon('pin-map-fill') . htmlspecialchars($location->name)
+ )
+ : '',
];
}
$buttons[] = button(
@@ -193,8 +200,8 @@ function Shift_view(
]),
div('col-sm-6', [
'' . __('general.description') . ' ',
- $parsedown->parse($shifttype->description),
- $parsedown->parse($shift->description),
+ $parsedown->parse(htmlspecialchars($shifttype->description)),
+ $parsedown->parse(htmlspecialchars($shift->description)),
]),
]);
@@ -206,7 +213,9 @@ function Shift_view(
$link = button(url('/user-shifts'), icon('chevron-left'), 'btn-sm');
return page_with_title(
- $link . ' ' . $shift->shiftType->name . ' %c ',
+ $link . ' '
+ . htmlspecialchars($shift->shiftType->name)
+ . ' %c ',
$content
);
}
diff --git a/includes/view/UserAngelTypes_view.php b/includes/view/UserAngelTypes_view.php
index ac66bb8f..2123786e 100644
--- a/includes/view/UserAngelTypes_view.php
+++ b/includes/view/UserAngelTypes_view.php
@@ -138,7 +138,7 @@ function UserAngelType_add_view(AngelType $angeltype, $users_source, $user_id)
{
$users = [];
foreach ($users_source as $user_source) {
- $users[$user_source->id] = User_Nick_render($user_source);
+ $users[$user_source->id] = $user_source->displayName;
}
return page_with_title(__('Add user to angeltype'), [
@@ -151,7 +151,7 @@ function UserAngelType_add_view(AngelType $angeltype, $users_source, $user_id)
),
]),
form([
- form_info(__('Angeltype'), $angeltype->name),
+ form_info(__('Angeltype'), htmlspecialchars($angeltype->name)),
form_checkbox('auto_confirm_user', __('Confirm user'), true),
form_select('user_id', __('general.user'), $users, $user_id),
form_submit('submit', __('Add')),
@@ -166,7 +166,7 @@ function UserAngelType_add_view(AngelType $angeltype, $users_source, $user_id)
*/
function UserAngelType_join_view($user, AngelType $angeltype)
{
- return page_with_title(sprintf(__('Become a %s'), $angeltype->name), [
+ return page_with_title(sprintf(__('Become a %s'), htmlspecialchars($angeltype->name)), [
msg(),
info(sprintf(
__('Do you really want to add %s to %s?'),
diff --git a/includes/view/UserHintsRenderer.php b/includes/view/UserHintsRenderer.php
index 55c65595..4a06686f 100644
--- a/includes/view/UserHintsRenderer.php
+++ b/includes/view/UserHintsRenderer.php
@@ -20,9 +20,9 @@ class UserHintsRenderer
if (!empty($hint)) {
if ($important) {
$this->important = true;
- $this->hints[] = error($hint, true);
+ $this->hints[] = error($hint, true, true);
} else {
- $this->hints[] = info($hint, true);
+ $this->hints[] = info($hint, true, true);
}
}
}
diff --git a/includes/view/User_view.php b/includes/view/User_view.php
index 5a02857e..d83b25b1 100644
--- a/includes/view/User_view.php
+++ b/includes/view/User_view.php
@@ -93,9 +93,9 @@ function Users_view(
foreach ($users as $user) {
$u = [];
$u['name'] = User_Nick_render($user) . User_Pronoun_render($user);
- $u['first_name'] = $user->personalData->first_name;
- $u['last_name'] = $user->personalData->last_name;
- $u['dect'] = sprintf('%1$s ', $user->contact->dect);
+ $u['first_name'] = htmlspecialchars((string) $user->personalData->first_name);
+ $u['last_name'] = htmlspecialchars((string) $user->personalData->last_name);
+ $u['dect'] = sprintf('%1$s ', htmlspecialchars((string) $user->contact->dect));
$u['arrived'] = icon_bool($user->state->arrived);
if (config('enable_voucher')) {
$u['got_voucher'] = $user->state->got_voucher;
@@ -272,7 +272,7 @@ function User_view_shiftentries($needed_angel_type)
{
$shift_info = '' . $needed_angel_type['name'] . ' :' . $shift->shiftType->name . ' ';
+ $shift_info = '' . htmlspecialchars($shift->shiftType->name) . ' ';
if ($shift->title) {
- $shift_info .= '' . $shift->title . ' ';
+ $shift_info .= '' . htmlspecialchars($shift->title) . ' ';
}
foreach ($shift->needed_angeltypes as $needed_angel_type) {
$shift_info .= User_view_shiftentries($needed_angel_type);
@@ -319,7 +319,7 @@ function User_view_myshift(Shift $shift, $user_source, $its_me)
];
if ($its_me) {
- $myshift['comment'] = $shift->user_comment;
+ $myshift['comment'] = htmlspecialchars($shift->user_comment);
}
if ($shift->freeloaded) {
@@ -328,7 +328,9 @@ function User_view_myshift(Shift $shift, $user_source, $its_me)
. '';
if (auth()->can('user_shifts_admin')) {
$myshift['comment'] .= '' . __('Freeloaded') . ': ' . $shift->freeloaded_comment . '
';
+ . ''
+ . __('Freeloaded') . ': ' . htmlspecialchars($shift->freeloaded_comment)
+ . '
';
} else {
$myshift['comment'] .= '' . __('Freeloaded') . '
';
}
@@ -452,7 +454,7 @@ function User_view_worklog(Worklog $worklog, $admin_user_worklog_privilege)
'duration' => sprintf('%.2f', $worklog->hours) . ' h',
'location' => '',
'shift_info' => __('Work log entry'),
- 'comment' => $worklog->comment . '' . $user_name . ' ' : '')
- . ((auth()->can('user.info.show') && $user_source->state->user_info)
- ? (' '
- . $user_source->contact->dect
+ . ' '
+ . htmlspecialchars($user_source->contact->dect)
. ' '
)
: '',
@@ -617,8 +625,8 @@ function User_view(
$user_source->settings->mobile_show ?
heading(
icon('phone')
- . ' '
- . $user_source->contact->mobile
+ . ' '
+ . htmlspecialchars($user_source->contact->mobile)
. ' '
)
: ''
@@ -639,19 +647,20 @@ function User_view(
($its_me || $admin_user_privilege) ? '' . __('Shifts') . ' ' : '',
$myshifts_table,
($its_me && $nightShiftsConfig['enabled'] && $goodie_enabled) ? info(
- icon('info-circle') . sprintf(
- __('Your night shifts between %d and %d am count twice for the %s score.'),
+ sprintf(
+ icon('info-circle') . __('Your night shifts between %d and %d am count twice for the %s score.'),
$nightShiftsConfig['start'],
$nightShiftsConfig['end'],
($goodie_tshirt ? __('T-shirt') : __('goodie'))
),
+ true,
true
) : '',
$its_me && count($shifts) == 0
? error(sprintf(
__('Go to the shifts table to sign yourself up for some shifts.'),
url('/user-shifts')
- ), true)
+ ), true, true)
: '',
$its_me ? ical_hint() : '',
]
@@ -781,7 +790,7 @@ function User_angeltypes_render($user_angeltypes)
$class = 'text-warning';
}
$output[] = ''
- . ($angeltype->pivot->supporter ? icon('patch-check') : '') . $angeltype->name
+ . ($angeltype->pivot->supporter ? icon('patch-check') : '') . htmlspecialchars($angeltype->name)
. ' ';
}
return div('col-md-2', [
@@ -798,7 +807,7 @@ function User_groups_render($user_groups)
{
$output = [];
foreach ($user_groups as $group) {
- $output[] = __($group->name);
+ $output[] = __(htmlspecialchars($group->name));
}
return div('col-md-2', [
@@ -818,9 +827,11 @@ function User_oauth_render(User $user)
$output = [];
foreach ($user->oauth as $oauth) {
$output[] = __(
- isset($config[$oauth->provider]['name'])
- ? $config[$oauth->provider]['name']
- : Str::ucfirst($oauth->provider)
+ htmlspecialchars(
+ isset($config[$oauth->provider]['name'])
+ ? $config[$oauth->provider]['name']
+ : Str::ucfirst($oauth->provider)
+ )
);
}
@@ -965,7 +976,10 @@ function render_user_tshirt_hint()
function render_user_dect_hint()
{
$user = auth()->user();
- if ((config('required_user_fields')['dect'] || $user->state->arrived) && config('enable_dect') && !$user->contact->dect) {
+ if (
+ (config('required_user_fields')['dect'] || $user->state->arrived)
+ && config('enable_dect') && !$user->contact->dect
+ ) {
$text = __('dect.required.hint');
return render_profile_link($text);
}
diff --git a/resources/views/admin/schedule/edit.twig b/resources/views/admin/schedule/edit.twig
index ad411144..2b1c73d9 100644
--- a/resources/views/admin/schedule/edit.twig
+++ b/resources/views/admin/schedule/edit.twig
@@ -2,9 +2,11 @@
{% import 'macros/base.twig' as m %}
{% import 'macros/form.twig' as f %}
-{% block title %}
+{% block title %}{{ schedule ? __('schedule.edit.title') : __('schedule.import.title') }}{% endblock %}
+
+{% block content_title %}
{{ m.button(m.icon('chevron-left'), url('/admin/schedule'), 'secondary', 'sm') }}
- {{ schedule ? __('schedule.edit.title') : __('schedule.import.title') }}
+ {{ block('title') }}
{% endblock %}
{% block row_content %}
diff --git a/resources/views/admin/schedule/load.twig b/resources/views/admin/schedule/load.twig
index c48ad031..ff6575d9 100644
--- a/resources/views/admin/schedule/load.twig
+++ b/resources/views/admin/schedule/load.twig
@@ -2,9 +2,11 @@
{% import 'macros/base.twig' as m %}
{% import 'macros/form.twig' as f %}
-{% block title %}
+{% block title %}{{ __('schedule.import.load.title') }}{% endblock %}
+
+{% block content_title %}
{{ m.button(m.icon('chevron-left'), url('/admin/schedule'), 'secondary', 'sm') }}
- {{ __('schedule.import.load.title') }}
+ {{ block('title') }}
{% endblock %}
{% block row_content %}
diff --git a/resources/views/emails/angeltype-added.twig b/resources/views/emails/angeltype-added.twig
index 5ce3fc83..a66a4eb3 100644
--- a/resources/views/emails/angeltype-added.twig
+++ b/resources/views/emails/angeltype-added.twig
@@ -3,9 +3,9 @@
{% set url=url('/angeltypes', {'action': 'view', 'angeltype_id': angeltype.id}) %}
{% block introduction %}
-{{ __('notification.angeltype.added.introduction', [angeltype.name, url])|raw }}
+{{ __('notification.angeltype.added.introduction', [angeltype.name|e, url])|raw }}
{% endblock %}
{% block message %}
-{{ __('notification.angeltype.added.text', [angeltype.name, url])|raw }}
+{{ __('notification.angeltype.added.text', [angeltype.name|e, url])|raw }}
{% endblock %}
diff --git a/resources/views/emails/angeltype-confirmed.twig b/resources/views/emails/angeltype-confirmed.twig
index 1fd2d0b1..8f2c3e17 100644
--- a/resources/views/emails/angeltype-confirmed.twig
+++ b/resources/views/emails/angeltype-confirmed.twig
@@ -3,9 +3,9 @@
{% set url=url('/angeltypes', {'action': 'view', 'angeltype_id': angeltype.id}) %}
{% block introduction %}
-{{ __('notification.angeltype.confirmed.introduction', [angeltype.name, url])|raw }}
+{{ __('notification.angeltype.confirmed.introduction', [angeltype.name|e, url])|raw }}
{% endblock %}
{% block message %}
-{{ __('notification.angeltype.confirmed.text', [angeltype.name, url])|raw }}
+{{ __('notification.angeltype.confirmed.text', [angeltype.name|e, url])|raw }}
{% endblock %}
diff --git a/resources/views/pages/login.twig b/resources/views/pages/login.twig
index ae2ef2e7..b09117a0 100644
--- a/resources/views/pages/login.twig
+++ b/resources/views/pages/login.twig
@@ -7,7 +7,7 @@
-
{{ __('login.welcome', [config('name') ~ m.angel() ~ (config('app_name')|upper) ])|raw }}
+ {{ __('login.welcome', [config('name')|e ~ m.angel() ~ (config('app_name')|upper|e) ])|raw }}
diff --git a/resources/views/pages/registration.twig b/resources/views/pages/registration.twig
index 44a66844..21441990 100644
--- a/resources/views/pages/registration.twig
+++ b/resources/views/pages/registration.twig
@@ -290,7 +290,7 @@
{{ f.checkbox(
'angel_types_' ~ angelType.id,
- angelType.name ~ (angelType.restricted ? ' ' ~ m.icon('mortarboard-fill', 'text-body') : ''),
+ angelType.name|e ~ (angelType.restricted ? ' ' ~ m.icon('mortarboard-fill', 'text-body') : ''),
{
'value': angelType.id,
'raw_label': true,