Defensive programming: more urlencode/htmlentities

Make build_url return an URL, not HTML. This separates presentation
from data.

plugin_header's return value is unused, remove the unnecessary return.

At places where `printf("<tag att='%s'>", $x);` is used, it is now
converted to `printf("<tag att=\"%s\">", htmlentities($x));` since
the single quote is not escaped by default by htmlentities.

In case the canvas style is used, JS should use `textContent` instead
of `innerHTML` to avoid reading `&quot;` instead of `"`. Nobody (should)
use(s) IE6 anymore, so it is a safe change.

While at it, use the standard charset attribute of meta to specify
the character set (UTF-8).

1 files changed, 7 insertions, 2 deletions

diff --git a/detail.php b/detail.php
index 4fb43b0..8f5a845 100644
--- a/detail.php
+++ b/detail.php
@@ -46,7 +46,10 @@ foreach($CONFIG['term'] as $key => $s) {
         $args['s'] = $s;
         $selected = selected_timerange($seconds, $s);
         printf('<li><a %s href="%s%s">%s</a></li>'."\n",
-                $selected, $CONFIG['weburl'], build_url('detail.php', $args), $key);
+                $selected,
+                htmlentities($CONFIG['weburl']),
+                htmlentities(build_url('detail.php', $args)),
+                htmlentities($key));
 }
 print "</ul>\n";
 
@@ -54,7 +57,9 @@ if ($CONFIG['graph_type'] == 'canvas') {
         chdir($CONFIG['webdir']);
         include $CONFIG['webdir'].'/graph.php';
 } else {
-        printf('<img src="%s%s">'."\n", $CONFIG['weburl'], build_url('graph.php', $_GET));
+        printf("<img src=\"%s%s\">\n",
+                htmlentities($CONFIG['weburl']),
+                htmlentities(build_url('graph.php', $_GET)));
 }
 echo '</div>';
 echo "</fieldset>\n";