aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/detail.php
diff options
context:
space:
mode:
authorPeter Wu2014-07-20 23:23:17 +0200
committerPeter Wu2014-07-20 23:23:17 +0200
commitc7283e1cae6bbdc13464a77ae7f22bd9489fe089 (patch)
treeffc767ddc0392b286d5cec0f053cf09796333077 /detail.php
parentgraph: don't overwrite config rrdtool_opts by rrdtool_opts from json plugin (diff)
downloadapt-panopticon_cgp-c7283e1cae6bbdc13464a77ae7f22bd9489fe089.zip
apt-panopticon_cgp-c7283e1cae6bbdc13464a77ae7f22bd9489fe089.tar.gz
apt-panopticon_cgp-c7283e1cae6bbdc13464a77ae7f22bd9489fe089.tar.bz2
apt-panopticon_cgp-c7283e1cae6bbdc13464a77ae7f22bd9489fe089.tar.xz
Defensive programming: more urlencode/htmlentities
Make build_url return an URL, not HTML. This separates presentation from data. plugin_header's return value is unused, remove the unnecessary return. At places where `printf("<tag att='%s'>", $x);` is used, it is now converted to `printf("<tag att=\"%s\">", htmlentities($x));` since the single quote is not escaped by default by htmlentities. In case the canvas style is used, JS should use `textContent` instead of `innerHTML` to avoid reading `&quot;` instead of `"`. Nobody (should) use(s) IE6 anymore, so it is a safe change. While at it, use the standard charset attribute of meta to specify the character set (UTF-8).
Diffstat (limited to '')
-rw-r--r--detail.php9
1 files changed, 7 insertions, 2 deletions
diff --git a/detail.php b/detail.php
index 4fb43b0..8f5a845 100644
--- a/detail.php
+++ b/detail.php
@@ -46,7 +46,10 @@ foreach($CONFIG['term'] as $key => $s) {
46 $args['s'] = $s; 46 $args['s'] = $s;
47 $selected = selected_timerange($seconds, $s); 47 $selected = selected_timerange($seconds, $s);
48 printf('<li><a %s href="%s%s">%s</a></li>'."\n", 48 printf('<li><a %s href="%s%s">%s</a></li>'."\n",
49 $selected, $CONFIG['weburl'], build_url('detail.php', $args), $key); 49 $selected,
50 htmlentities($CONFIG['weburl']),
51 htmlentities(build_url('detail.php', $args)),
52 htmlentities($key));
50} 53}
51print "</ul>\n"; 54print "</ul>\n";
52 55
@@ -54,7 +57,9 @@ if ($CONFIG['graph_type'] == 'canvas') {
54 chdir($CONFIG['webdir']); 57 chdir($CONFIG['webdir']);
55 include $CONFIG['webdir'].'/graph.php'; 58 include $CONFIG['webdir'].'/graph.php';
56} else { 59} else {
57 printf('<img src="%s%s">'."\n", $CONFIG['weburl'], build_url('graph.php', $_GET)); 60 printf("<img src=\"%s%s\">\n",
61 htmlentities($CONFIG['weburl']),
62 htmlentities(build_url('graph.php', $_GET)));
58} 63}
59echo '</div>'; 64echo '</div>';
60echo "</fieldset>\n"; 65echo "</fieldset>\n";