From c7283e1cae6bbdc13464a77ae7f22bd9489fe089 Mon Sep 17 00:00:00 2001
From: Peter Wu
Date: Sun, 20 Jul 2014 23:23:17 +0200
Subject: Defensive programming: more urlencode/htmlentities

Make build_url return an URL, not HTML. This separates presentation
from data.

plugin_header's return value is unused, remove the unnecessary return.

At places where `printf("<tag att='%s'>", $x);` is used, it is now
converted to `printf("<tag att=\"%s\">", htmlentities($x));` since
the single quote is not escaped by default by htmlentities.

In case the canvas style is used, JS should use `textContent` instead
of `innerHTML` to avoid reading `&quot;` instead of `"`. Nobody (should)
use(s) IE6 anymore, so it is a safe change.

While at it, use the standard charset attribute of meta to specify
the character set (UTF-8).
---
 detail.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'detail.php')

diff --git a/detail.php b/detail.php
index 4fb43b0..8f5a845 100644
--- a/detail.php
+++ b/detail.php
@@ -46,7 +46,10 @@ foreach($CONFIG['term'] as $key => $s) {
 	$args['s'] = $s;
 	$selected = selected_timerange($seconds, $s);
 	printf('<li><a %s href="%s%s">%s</a></li>'."\n",
-		$selected, $CONFIG['weburl'], build_url('detail.php', $args), $key);
+		$selected,
+		htmlentities($CONFIG['weburl']),
+		htmlentities(build_url('detail.php', $args)),
+		htmlentities($key));
 }
 print "</ul>\n";
 
@@ -54,7 +57,9 @@ if ($CONFIG['graph_type'] == 'canvas') {
 	chdir($CONFIG['webdir']);
 	include $CONFIG['webdir'].'/graph.php';
 } else {
-	printf('<img src="%s%s">'."\n", $CONFIG['weburl'], build_url('graph.php', $_GET));
+	printf("<img src=\"%s%s\">\n",
+		htmlentities($CONFIG['weburl']),
+		htmlentities(build_url('graph.php', $_GET)));
 }
 echo '</div>';
 echo "</fieldset>\n";
-- 
cgit v1.1