From c7283e1cae6bbdc13464a77ae7f22bd9489fe089 Mon Sep 17 00:00:00 2001
From: Peter Wu
Date: Sun, 20 Jul 2014 23:23:17 +0200
Subject: Defensive programming: more urlencode/htmlentities

Make build_url return an URL, not HTML. This separates presentation
from data.

plugin_header's return value is unused, remove the unnecessary return.

At places where `printf("<tag att='%s'>", $x);` is used, it is now
converted to `printf("<tag att=\"%s\">", htmlentities($x));` since
the single quote is not escaped by default by htmlentities.

In case the canvas style is used, JS should use `textContent` instead
of `innerHTML` to avoid reading `&quot;` instead of `"`. Nobody (should)
use(s) IE6 anymore, so it is a safe change.

While at it, use the standard charset attribute of meta to specify
the character set (UTF-8).
---
 type/Base.class.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'type/Base.class.php')

diff --git a/type/Base.class.php b/type/Base.class.php
index b74c1b1..ff9a235 100644
--- a/type/Base.class.php
+++ b/type/Base.class.php
@@ -203,14 +203,14 @@ class Type_Base {
 			case 'cmd':
 				print '<pre>';
 				foreach ($graphdata as $d) {
-					printf("%s \\\n", $d);
+					printf("%s \\\n", htmlentities($d));
 				}
 				print '</pre>';
 			break;
 			case 'canvas':
 				printf('<canvas id="%s" class="rrd">', sha1(serialize($graphdata)));
 				foreach ($graphdata as $d) {
-					printf("%s\n", $d);
+					printf("%s\n", htmlentities($d));
 				}
 				print '</canvas>';
 			break;
-- 
cgit v1.1