"php-di/slim-bridge": "2.0.0",
"doctrine/annotations": "^1.8",
"laminas/laminas-servicemanager": "3.7",
- "symfony/polyfill-php80": "^1.23"
+ "symfony/polyfill-php80": "^1.23",
+ "ezyang/htmlpurifier": "^4.13"
},
"require-dev": {
"atoum/atoum": "dev-master",
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
- "content-hash": "abdb30cee5eeb0dad05c159a1c10880d",
+ "content-hash": "47d56d47701d9038105bd93cf3b44a02",
"packages": [
{
"name": "akrabat/rka-slim-session-middleware",
],
"time": "2020-05-25T17:44:05+00:00"
},
+ {
+ "name": "ezyang/htmlpurifier",
+ "version": "v4.13.0",
+ "source": {
+ "type": "git",
+ "url": "https://github.com/ezyang/htmlpurifier.git",
+ "reference": "08e27c97e4c6ed02f37c5b2b20488046c8d90d75"
+ },
+ "dist": {
+ "type": "zip",
+ "url": "https://api.github.com/repos/ezyang/htmlpurifier/zipball/08e27c97e4c6ed02f37c5b2b20488046c8d90d75",
+ "reference": "08e27c97e4c6ed02f37c5b2b20488046c8d90d75",
+ "shasum": ""
+ },
+ "require": {
+ "php": ">=5.2"
+ },
+ "require-dev": {
+ "simpletest/simpletest": "dev-master#72de02a7b80c6bb8864ef9bf66d41d2f58f826bd"
+ },
+ "type": "library",
+ "autoload": {
+ "psr-0": {
+ "HTMLPurifier": "library/"
+ },
+ "files": [
+ "library/HTMLPurifier.composer.php"
+ ],
+ "exclude-from-classmap": [
+ "/library/HTMLPurifier/Language/"
+ ]
+ },
+ "notification-url": "https://packagist.org/downloads/",
+ "license": [
+ "LGPL-2.1-or-later"
+ ],
+ "authors": [
+ {
+ "name": "Edward Z. Yang",
+ "email": "admin@htmlpurifier.org",
+ "homepage": "http://ezyang.com"
+ }
+ ],
+ "description": "Standards compliant HTML filter written in PHP",
+ "homepage": "http://htmlpurifier.org/",
+ "keywords": [
+ "html"
+ ],
+ "support": {
+ "issues": "https://github.com/ezyang/htmlpurifier/issues",
+ "source": "https://github.com/ezyang/htmlpurifier/tree/master"
+ },
+ "time": "2020-06-29T00:56:53+00:00"
+ },
{
"name": "laminas/laminas-cache",
"version": "2.13.0",
*
* PHP version 5
*
- * Copyright © 2019-2020 The Galette Team
+ * Copyright © 2019-2021 The Galette Team
*
* This file is part of Galette (http://galette.tuxfamily.org).
*
* @package Galette
*
* @author Johan Cwiklinski <johan@x-tnd.be>
- * @copyright 2019-2020 The Galette Team
+ * @copyright 2019-2021 The Galette Team
* @license http://www.gnu.org/licenses/gpl-3.0.html GPL License 3.0 or (at your option) any later version
* @link http://galette.tuxfamily.org
* @since Available since 0.9.4dev - 2019-12-09
* @name PaymentTypeController
* @package Galette
* @author Johan Cwiklinski <johan@x-tnd.be>
- * @copyright 2019-2020 The Galette Team
+ * @copyright 2019-2021 The Galette Team
* @license http://www.gnu.org/licenses/gpl-3.0.html GPL License 3.0 or (at your option) any later version
* @link http://galette.tuxfamily.org
* @since Available since 0.9.4dev - 2019-12-09
'error_detected',
preg_replace(
'(%s)',
- $ptype->name,
+ $ptype->getName(),
_T("Payment type '%s' has not been added!")
)
);
'error_detected',
preg_replace(
'(%s)',
- $ptype->name,
+ $ptype->getName(),
_T("Payment type '%s' has not been modified!")
)
);
'success_detected',
preg_replace(
'(%s)',
- $ptype->name,
+ $ptype->getName(),
_T("Payment type '%s' has been successfully added.")
)
);
'success_detected',
preg_replace(
'(%s)',
- $ptype->name,
+ $ptype->getName(),
_T("Payment type '%s' has been successfully modified.")
)
);
$this->errors[] = _T("- Invalid year for cards.");
}
break;
+ case 'pref_footer':
+ $value = $this->cleanHtmlValue($value);
+ break;
}
return $value;
&& $name == 'pref_mail_method'
) {
return GaletteMail::METHOD_DISABLED;
+ } elseif ($name == 'pref_footer') {
+ return $this->cleanHtmlValue($this->prefs[$name]);
} else {
if ($name == 'pref_adhesion_form' && $this->prefs[$name] == '') {
$this->prefs[$name] = self::$defaults['pref_adhesion_form'];
return $this;
}
+
+ /**
+ * Purify HTML value
+ *
+ * @param string $value Value to clean
+ *
+ * @return string
+ */
+ public function cleanHtmlValue(string $value): string
+ {
+ $config = \HTMLPurifier_Config::createDefault();
+ $config->set('Cache.SerializerPath', GALETTE_CACHE_DIR);
+ $purifier = new \HTMLPurifier($config);
+ return $purifier->purify($value);
+ }
}
public function add($label, $extra)
{
// Avoid duplicates.
+ $label = strip_tags($label);
$ret = $this->getIdByLabel($label);
if ($ret !== false) {
*/
public function update($id, $label, $extra)
{
+ $label = strip_tags($label);
$ret = $this->get($id);
if (!$ret) {
/* get() already logged and set $this->error. */
public function store($zdb)
{
$data = array(
- 'short_label' => $this->short,
- 'long_label' => $this->long
+ 'short_label' => strip_tags($this->short),
+ 'long_label' => strip_tags($this->long)
);
try {
if ($this->id !== null && $this->id > 0) {
break;
case 'trans_desc':
/** TODO: retrieve field length from database and check that */
- $this->_description = $value;
+ $this->_description = strip_tags($value);
if (mb_strlen($value) > 150) {
$this->errors[] = _T("- Transaction description must be 150 characters long maximum.");
}
{$eid}
<span class="row-title">
<a href="{path_for name="editEntitled" data=["class" => $url_class, "action" => "edit", "id" => $eid]}">
- {_T string="%s field" pattern="/%s/" replace=$entry.name}
+ {_T string="%s field" pattern="/%s/" replace=$entry.name|escape}
</a>
</span>
</td>
class="action tooltip"
>
<i class="fas fa-edit fa-fw"></i>
- <span class="sr-only">{_T string="Edit '%s' field" pattern="/%s/" replace=$entry.name}</span>
+ <span class="sr-only">{_T string="Edit '%s' field" pattern="/%s/" replace=$entry.name|escape}</span>
</a>
<a
href="{path_for name="removeEntitled" data=["class" => $url_class, "id" => $eid]}"
class="delete tooltip"
>
<i class="fas fa-trash fa-fw"></i>
- <span class="sr-only">{_T string="Delete '%s' field" pattern="/%s/" replace=$entry.name}</span>
+ <span class="sr-only">{_T string="Delete '%s' field" pattern="/%s/" replace=$entry.name|escape}</span>
</a>
</td>
</tr>
{/if}
<span class="row-title">
<a href="{path_for name="editTitle" data=["id" => $title->id]}">
- {_T string="%s title" pattern="/%s/" replace=$title->short}
+ {_T string="%s title" pattern="/%s/" replace=$title->short|escape}
</a>
</span>
</td>
- <td class="left" data-title="{_T string="Short form"}">{$title->short}</td>
- <td class="left" data-title="{_T string="Long form"}">{$title->long}</td>
+ <td class="left" data-title="{_T string="Short form"}">{$title->short|escape}</td>
+ <td class="left" data-title="{_T string="Long form"}">{$title->long|escape}</td>
<td class="center actions_row">
<a
href="{path_for name="editTitle" data=["id" => $title->id]}"
class="tooltip action"
>
<i class="fas fa-edit fa-fw"></i>
- <span class="sr-only">{_T string="Edit '%s' title" pattern="/%s/" replace=$title->short}</span>
+ <span class="sr-only">{_T string="Edit '%s' title" pattern="/%s/" replace=$title->short|escape}</span>
</a>
{if $title->id eq 1 or $title->id eq 2}
<img src="{base_url}/{$template_subdir}images/icon-empty.png" alt="" width="16px" height="16px"/>
class="delete tooltip"
>
<i class="fa fa-trash fa-fw"></i>
- <span class="sr-only">{_T string="Delete '%s' title" pattern="/%s/" replace=$title->short}</span>
+ <span class="sr-only">{_T string="Delete '%s' title" pattern="/%s/" replace=$title->short|escape}</span>
</a>
{/if}
</td>
</a>
</td>
{/if}
- <td class="{$cclass} nowrap" data-title="{_T string="Description"}">{$transaction->description}</td>
+ <td class="{$cclass} nowrap" data-title="{_T string="Description"}">{$transaction->description|escape}</td>
{if $login->isAdmin() or $login->isStaff()}
<td class="{$cclass}" data-title="{_T string="Originator"}">
{if $filters->filtre_cotis_adh eq ""}