Fixes #4593: All titles are HTML-escaped plain text

diff --git a/mod/blog/actions/blog/auto_save_revision.php b/mod/blog/actions/blog/auto_save_revision.php
index 66b65c5fddee03dba771beca2625e8e1241a62bc..e33edfaabc05d11dda05610cfbb195b063156c54 100644 (file)
--- a/mod/blog/actions/blog/auto_save_revision.php
+++ b/mod/blog/actions/blog/auto_save_revision.php
@@ -7,7 +7,7 @@
 
 $guid = get_input('guid');
 $user = elgg_get_logged_in_user_entity();
-$title = get_input('title');
+$title = htmlspecialchars(get_input('title', '', false), ENT_QUOTES, 'UTF-8');
 $description = get_input('description');
 $excerpt = get_input('excerpt');
 

diff --git a/mod/blog/actions/blog/save.php b/mod/blog/actions/blog/save.php
index 048bc00bec412a1da8812552d023e0e7dcb68f0a..070c96398e81152957cfff83d7bf25bf50a95217 100644 (file)
--- a/mod/blog/actions/blog/save.php
+++ b/mod/blog/actions/blog/save.php
@@ -57,7 +57,11 @@ $required = array('title', 'description');
 
 // load from POST and do sanity and access checking
 foreach ($values as $name => $default) {
-       $value = get_input($name, $default);
+       if ($name === 'title') {
+               $value = htmlspecialchars(get_input('title', $default, false), ENT_QUOTES, 'UTF-8');
+       } else {
+               $value = get_input($name, $default);
+       }
 
        if (in_array($name, $required) && empty($value)) {
                $error = elgg_echo("blog:error:missing:$name");

diff --git a/mod/bookmarks/actions/bookmarks/save.php b/mod/bookmarks/actions/bookmarks/save.php
index 3ca6bef322a0cbb1d8905bff0bcb5c9b4f1318c9..46090b11533534bdbd18f7207331a6b2f90ea66e 100644 (file)
--- a/mod/bookmarks/actions/bookmarks/save.php
+++ b/mod/bookmarks/actions/bookmarks/save.php
@@ -5,7 +5,7 @@
 * @package Bookmarks
 */
 
-$title = strip_tags(get_input('title'));
+$title = htmlspecialchars(get_input('title', '', false), ENT_QUOTES, 'UTF-8');
 $description = get_input('description');
 $address = get_input('address');
 $access_id = get_input('access_id');

diff --git a/mod/file/actions/file/upload.php b/mod/file/actions/file/upload.php
index d72d04eb73f35b7ac1277048ad7d1df76b46be3a..d6dce2528315f1e941f60758cd9e01faaab715be 100644 (file)
--- a/mod/file/actions/file/upload.php
+++ b/mod/file/actions/file/upload.php
@@ -6,7 +6,7 @@
  */
 
 // Get variables
-$title = get_input("title");
+$title = htmlspecialchars(get_input('title', '', false), ENT_QUOTES, 'UTF-8');
 $desc = get_input("description");
 $access_id = (int) get_input("access_id");
 $container_guid = (int) get_input('container_guid', 0);
@@ -44,7 +44,7 @@ if ($new_file) {
 
        // if no title on new upload, grab filename
        if (empty($title)) {
-               $title = $_FILES['upload']['name'];
+               $title = htmlspecialchars($_FILES['upload']['name'], ENT_QUOTES, 'UTF-8');
        }
 
 } else {

diff --git a/mod/groups/actions/discussion/save.php b/mod/groups/actions/discussion/save.php
index de4afadfbeaaf57d5ca4d14a3b1d90ae6f90d355..b3e9da654a6f1d9f30211153e0756dbc8d292d80 100644 (file)
--- a/mod/groups/actions/discussion/save.php
+++ b/mod/groups/actions/discussion/save.php
@@ -4,7 +4,7 @@
  */
 
 // Get variables
-$title = get_input("title");
+$title = htmlspecialchars(get_input('title', '', false), ENT_QUOTES, 'UTF-8');
 $desc = get_input("description");
 $status = get_input("status");
 $access_id = (int) get_input("access_id");

diff --git a/mod/groups/actions/groups/edit.php b/mod/groups/actions/groups/edit.php
index df2464a652d267503da009435378ebecce0861ff..a4169461a8fe2e1f0320f4abba1225a3926bd239 100644 (file)
--- a/mod/groups/actions/groups/edit.php
+++ b/mod/groups/actions/groups/edit.php
@@ -33,8 +33,7 @@ foreach ($CONFIG->group as $shortname => $valuetype) {
        }
 }
 
-$input['name'] = get_input('name');
-$input['name'] = html_entity_decode($input['name'], ENT_COMPAT, 'UTF-8');
+$input['name'] = htmlspecialchars(get_input('name', '', false), ENT_QUOTES, 'UTF-8');
 
 $user = elgg_get_logged_in_user_entity();
 

diff --git a/mod/pages/actions/pages/edit.php b/mod/pages/actions/pages/edit.php
index a32e4a4ba4847cf5c00d9f69e34d2db32ec4bea8..fe5754d763054eb3480fb99f272782c0c1938fb6 100644 (file)
--- a/mod/pages/actions/pages/edit.php
+++ b/mod/pages/actions/pages/edit.php
@@ -8,9 +8,10 @@
 $variables = elgg_get_config('pages');
 $input = array();
 foreach ($variables as $name => $type) {
-       $input[$name] = get_input($name);
        if ($name == 'title') {
-               $input[$name] = strip_tags($input[$name]);
+               $input[$name] = htmlspecialchars(get_input($name, '', false), ENT_QUOTES, 'UTF-8');
+       } else {
+               $input[$name] = get_input($name);
        }
        if ($type == 'tags') {
                $input[$name] = string_to_tag_array($input[$name]);