[pLog-svn] r6436 - in plog/branches/lifetype-1.2/class: action/admin view/admin

mark at devel.lifetype.net mark at devel.lifetype.net
Sun May 4 03:15:44 EDT 2008


Author: mark
Date: 2008-05-04 03:15:43 -0400 (Sun, 04 May 2008)
New Revision: 6436

Modified:
   plog/branches/lifetype-1.2/class/action/admin/adminblogcategoriesaction.class.php
   plog/branches/lifetype-1.2/class/action/admin/admineditcommentsaction.class.php
   plog/branches/lifetype-1.2/class/action/admin/admineditglobalarticlecategoriesaction.class.php
   plog/branches/lifetype-1.2/class/action/admin/admineditlinkcategoriesaction.class.php
   plog/branches/lifetype-1.2/class/action/admin/admineditlinksaction.class.php
   plog/branches/lifetype-1.2/class/action/admin/admineditpostsaction.class.php
   plog/branches/lifetype-1.2/class/action/admin/adminresourcesaction.class.php
   plog/branches/lifetype-1.2/class/view/admin/adminarticlecategorieslistview.class.php
   plog/branches/lifetype-1.2/class/view/admin/adminsiteblogslistview.class.php
   plog/branches/lifetype-1.2/class/view/admin/adminsiteuserslistview.class.php
Log:
Fixed XSS XSS Vulnerabilities
 reported here: http://www.securityfocus.com/archive/1/491550

Although, I don't think it is serious to us.

Modified: plog/branches/lifetype-1.2/class/action/admin/adminblogcategoriesaction.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/action/admin/adminblogcategoriesaction.class.php	2008-05-03 13:30:14 UTC (rev 6435)
+++ plog/branches/lifetype-1.2/class/action/admin/adminblogcategoriesaction.class.php	2008-05-04 07:15:43 UTC (rev 6436)
@@ -2,6 +2,7 @@
 	
 	lt_include( PLOG_CLASS_PATH."class/action/admin/adminaction.class.php" );
 	lt_include( PLOG_CLASS_PATH."class/view/admin/adminblogcategorieslistview.class.php" );
+	lt_include( PLOG_CLASS_PATH."class/data/filter/htmlfilter.class.php" );
 	
 	class AdminBlogCategoriesAction extends AdminAction
 	{
@@ -15,7 +16,7 @@
 		
 		function perform()
 		{
-			$searchTerms = $this->_request->getValue( "searchTerms" );
+			$searchTerms = $this->_request->getFilteredValue( "searchTerms", new HtmlFilter());
 			$this->_view = new AdminBlogCategoriesListView( $this->_blogInfo, Array( "searchTerms" => $searchTerms ));
 			$this->setCommonData();
 		}

Modified: plog/branches/lifetype-1.2/class/action/admin/admineditcommentsaction.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/action/admin/admineditcommentsaction.class.php	2008-05-03 13:30:14 UTC (rev 6435)
+++ plog/branches/lifetype-1.2/class/action/admin/admineditcommentsaction.class.php	2008-05-04 07:15:43 UTC (rev 6436)
@@ -4,7 +4,7 @@
     lt_include( PLOG_CLASS_PATH."class/view/admin/adminarticlecommentslistview.class.php" );
 	lt_include( PLOG_CLASS_PATH."class/view/admin/adminpostslistview.class.php" );
     lt_include( PLOG_CLASS_PATH."class/data/validator/integervalidator.class.php" );
-    lt_include( PLOG_CLASS_PATH."class/data/filter/htmlspecialcharsfilter.class.php" );
+    lt_include( PLOG_CLASS_PATH."class/data/filter/htmlfilter.class.php" );
 	
     /**
      * \ingroup Action
@@ -45,10 +45,8 @@
 			// get the validated parameters from the request
         	$articleId = $this->_request->getValue( "articleId" );
 			$showStatus = $this->_request->getValue( "showStatus" );
-			$searchTerms = $this->_request->getvalue( "searchTerms" );
+			$searchTerms = $this->_request->getFilteredValue( "searchTerms", new HtmlFilter());
 			
-			$f = new HtmlSpecialCharsFilter();
-			
 			if( $articleId && $articleId > 0 ) {
 				$articles = new Articles();
 				$article = $articles->getBlogArticle( $articleId, $this->_blogInfo->getId());
@@ -59,13 +57,13 @@
 				else
 					$this->_view = new $this->_viewClass( $this->_blogInfo, Array( "article" => $article,
 																				   "showStatus" => $showStatus,
-																				   "searchTerms" => $f->filter( $searchTerms )));
+																				   "searchTerms" => $searchTerms ));
 			}
 			else {
 				// if there is no article id, then we will show all comments from all posts...
 				$this->_view = new $this->_viewClass( $this->_blogInfo, Array( "article" => null,
 																			   "showStatus" => $showStatus,
-																			   "searchTerms" => $f->filter( $searchTerms )));					
+																			   "searchTerms" => $searchTerms ));					
 			}
 			
             $this->setCommonData();

Modified: plog/branches/lifetype-1.2/class/action/admin/admineditglobalarticlecategoriesaction.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/action/admin/admineditglobalarticlecategoriesaction.class.php	2008-05-03 13:30:14 UTC (rev 6435)
+++ plog/branches/lifetype-1.2/class/action/admin/admineditglobalarticlecategoriesaction.class.php	2008-05-04 07:15:43 UTC (rev 6436)
@@ -1,11 +1,12 @@
 <?php
-	  /**
-       * GLobal artical Category files added by Ameng(Ameng.vVlogger.com) 2005-06-20
-       * version 1.0 
-       * Changed from original article category.
-       */
-	  lt_include( PLOG_CLASS_PATH."class/action/admin/adminaction.class.php" );
-      lt_include( PLOG_CLASS_PATH."class/view/admin/adminglobalarticlecategorieslistview.class.php" );
+	/**
+     * GLobal artical Category files added by Ameng(Ameng.vVlogger.com) 2005-06-20
+     * version 1.0 
+     * Changed from original article category.
+     */
+	lt_include( PLOG_CLASS_PATH."class/action/admin/adminaction.class.php" );
+    lt_include( PLOG_CLASS_PATH."class/view/admin/adminglobalarticlecategorieslistview.class.php" );
+	lt_include( PLOG_CLASS_PATH."class/data/filter/htmlfilter.class.php" );
 
     /**
      * \ingroup Action
@@ -24,7 +25,7 @@
         {
         	$this->AdminAction( $actionInfo, $request );
 			
-			$this->_searchTerms = $this->_request->getValue( "searchTerms" );
+			$this->_searchTerms = $this->_request->getFilteredValue( "searchTerms", new HtmlFilter());
 			
 			$this->requireAdminPermission( "view_global_categories" );
         }

Modified: plog/branches/lifetype-1.2/class/action/admin/admineditlinkcategoriesaction.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/action/admin/admineditlinkcategoriesaction.class.php	2008-05-03 13:30:14 UTC (rev 6435)
+++ plog/branches/lifetype-1.2/class/action/admin/admineditlinkcategoriesaction.class.php	2008-05-04 07:15:43 UTC (rev 6436)
@@ -2,6 +2,7 @@
 
 	lt_include( PLOG_CLASS_PATH."class/action/admin/adminaction.class.php" );
     lt_include( PLOG_CLASS_PATH."class/view/admin/adminlinkcategorieslistview.class.php" );
+    lt_include( PLOG_CLASS_PATH."class/data/filter/htmlfilter.class.php" );
 
     /**
      * \ingroup Action
@@ -27,7 +28,7 @@
         function perform()
         {
             // get all the link categories
-			$searchTerms = $this->_request->getValue( "searchTerms" );
+			$searchTerms = $this->_request->getFilteredValue( "searchTerms", new HtmlFilter());
             $this->_view = new AdminLinkCategoriesListView( $this->_blogInfo, Array( "searchTerms" => $searchTerms ) );
             $this->setCommonData();
 

Modified: plog/branches/lifetype-1.2/class/action/admin/admineditlinksaction.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/action/admin/admineditlinksaction.class.php	2008-05-03 13:30:14 UTC (rev 6435)
+++ plog/branches/lifetype-1.2/class/action/admin/admineditlinksaction.class.php	2008-05-04 07:15:43 UTC (rev 6436)
@@ -3,6 +3,7 @@
 	lt_include( PLOG_CLASS_PATH."class/action/admin/adminaction.class.php" );
 	lt_include( PLOG_CLASS_PATH."class/data/validator/integervalidator.class.php" );
 	lt_include( PLOG_CLASS_PATH."class/view/admin/adminlinkslistview.class.php" );
+	lt_include( PLOG_CLASS_PATH."class/data/filter/htmlfilter.class.php" );
 
     /**
      * \ingroup Action
@@ -44,7 +45,7 @@
         {
 			// get the id of the category we'd like to load
         	$this->_categoryId = $this->_request->getValue( "showCategory" );		
-			$this->_searchTerms = $this->_request->getValue( "searchTerms" );
+			$this->_searchTerms = $this->_request->getFilteredValue( "searchTerms", new HtmlFilter());
 			
 			// and create the view with all the parameters we'll need
 			$this->_view = new AdminLinksListView( $this->_blogInfo, Array( "showCategory" => $this->_categoryId,

Modified: plog/branches/lifetype-1.2/class/action/admin/admineditpostsaction.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/action/admin/admineditpostsaction.class.php	2008-05-03 13:30:14 UTC (rev 6435)
+++ plog/branches/lifetype-1.2/class/action/admin/admineditpostsaction.class.php	2008-05-04 07:15:43 UTC (rev 6436)
@@ -3,6 +3,7 @@
 	lt_include( PLOG_CLASS_PATH."class/action/admin/adminaction.class.php" );
     lt_include( PLOG_CLASS_PATH."class/view/admin/adminpostslistview.class.php" );
 	lt_include( PLOG_CLASS_PATH."class/data/validator/integervalidator.class.php" );
+	lt_include( PLOG_CLASS_PATH."class/data/filter/htmlfilter.class.php" );
 
     /**
      * \ingroup Action
@@ -60,13 +61,14 @@
          */
         function perform()
         {
+			$this->_searchTerms = $this->_request->getFilteredValue( "searchTerms", new HtmlFilter());
 			// create the view with the right parameters... 
         	$this->_view = new AdminPostsListView( $this->_blogInfo, 
 			                                       Array( "showCategory" => $this->_request->getValue( "showCategory" ),
 												          "showStatus" => $this->_request->getValue( "showStatus" ),
 														  "showUser" => $this->_request->getValue( "showUser" ),
 														  "showMonth" => $this->_request->getValue( "showMonth" ),
-														  "searchTerms" => $this->_request->getValue( "searchTerms" )));
+														  "searchTerms" => $this->_searchTerms ));
             $this->setCommonData();
 
             // better to return true if everything fine

Modified: plog/branches/lifetype-1.2/class/action/admin/adminresourcesaction.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/action/admin/adminresourcesaction.class.php	2008-05-03 13:30:14 UTC (rev 6435)
+++ plog/branches/lifetype-1.2/class/action/admin/adminresourcesaction.class.php	2008-05-04 07:15:43 UTC (rev 6436)
@@ -5,6 +5,7 @@
 	lt_include( PLOG_CLASS_PATH."class/data/validator/integervalidator.class.php" );
 	lt_include( PLOG_CLASS_PATH."class/view/admin/adminerrorview.class.php" );
 	lt_include( PLOG_CLASS_PATH."class/gallery/dao/galleryresourcestorage.class.php" );
+	lt_include( PLOG_CLASS_PATH."class/data/filter/htmlfilter.class.php" );
 
     /**
      * \ingroup Action
@@ -60,7 +61,7 @@
         function perform()
         {
             $this->_albumId = $this->_request->getValue( "albumId", 0 );
-			$this->_searchTerms = $this->_request->getValue( "searchTerms" );
+			$this->_searchTerms = $this->_request->getFilteredValue( "searchTerms", new HtmlFilter());
 
 			$errorMessage = $this->checkFolders();
 			if( $errorMessage ) {

Modified: plog/branches/lifetype-1.2/class/view/admin/adminarticlecategorieslistview.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/view/admin/adminarticlecategorieslistview.class.php	2008-05-03 13:30:14 UTC (rev 6435)
+++ plog/branches/lifetype-1.2/class/view/admin/adminarticlecategorieslistview.class.php	2008-05-04 07:15:43 UTC (rev 6436)
@@ -3,6 +3,7 @@
 	lt_include( PLOG_CLASS_PATH."class/view/admin/admintemplatedview.class.php" );
     lt_include( PLOG_CLASS_PATH."class/dao/articlecategories.class.php" );
 	lt_include( PLOG_CLASS_PATH."class/data/pager/pager.class.php" );
+	lt_include( PLOG_CLASS_PATH."class/data/filter/htmlfilter.class.php" );
 	
     /**
      * \ingroup View
@@ -36,7 +37,7 @@
 			
 			// get the page too
 			$this->_page = $this->getCurrentPageFromRequest();
-			$this->_searchTerms = HttpVars::getRequestValue( "searchTerms" );
+			$this->_searchTerms = $this->_request->getFilteredValue( "searchTerms", new HtmlFilter());
 			
 			// retrieve the categories in an paged fashion
 			$totalCategories = $categories->getBlogNumCategories( $this->_blogInfo->getId(), true, $this->_searchTerms );

Modified: plog/branches/lifetype-1.2/class/view/admin/adminsiteblogslistview.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/view/admin/adminsiteblogslistview.class.php	2008-05-03 13:30:14 UTC (rev 6435)
+++ plog/branches/lifetype-1.2/class/view/admin/adminsiteblogslistview.class.php	2008-05-04 07:15:43 UTC (rev 6436)
@@ -3,6 +3,7 @@
 	lt_include( PLOG_CLASS_PATH."class/view/admin/admintemplatedview.class.php" );
 	lt_include( PLOG_CLASS_PATH."class/data/pager/pager.class.php" );
 	lt_include( PLOG_CLASS_PATH."class/dao/blogs.class.php" );
+	lt_include( PLOG_CLASS_PATH."class/data/filter/htmlfilter.class.php" );
 		
     /**
      * \ingroup View
@@ -54,7 +55,7 @@
             // we need to get all the blogs
 			// get the data itself
 			$this->_status = $this->getStatusFromRequest();
-			$this->_searchTerms = HttpVars::getRequestValue( "searchTerms" );
+			$this->_searchTerms = $this->_request->getFilteredValue( "searchTerms", new HtmlFilter());
 			$blogs = new Blogs();
             $siteBlogs = $blogs->getAllBlogs( $this->_status, ALL_BLOG_CATEGORIES, $this->_searchTerms, $this->_page, DEFAULT_ITEMS_PER_PAGE );
 //			print("search terms = ".$this->_searchTerms);

Modified: plog/branches/lifetype-1.2/class/view/admin/adminsiteuserslistview.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/view/admin/adminsiteuserslistview.class.php	2008-05-03 13:30:14 UTC (rev 6435)
+++ plog/branches/lifetype-1.2/class/view/admin/adminsiteuserslistview.class.php	2008-05-04 07:15:43 UTC (rev 6436)
@@ -3,7 +3,8 @@
 	lt_include( PLOG_CLASS_PATH."class/view/admin/admintemplatedview.class.php" );
     lt_include( PLOG_CLASS_PATH."class/dao/users.class.php" );
     lt_include( PLOG_CLASS_PATH."class/data/pager/pager.class.php" );
-    lt_include( PLOG_CLASS_PATH."class/dao/userstatus.class.php" );    
+    lt_include( PLOG_CLASS_PATH."class/dao/userstatus.class.php" ); 
+    lt_include( PLOG_CLASS_PATH."class/data/filter/htmlfilter.class.php" );   
 	
     /**
      * \ingroup View
@@ -63,7 +64,7 @@
 			// get the current page
 			$this->_page = $this->getCurrentPageFromRequest();
 			$this->_status = $this->getStatusFromRequest();
-			$this->_searchTerms = HttpVars::getRequestValue( "searchTerms");
+			$this->_searchTerms = $this->_request->getFilteredValue( "searchTerms", new HtmlFilter());
 			
         	// get the users of the blog
             $users = new Users();



More information about the pLog-svn mailing list