www: add html_safe() for even safer html

1e5fb3e3 · Franco Fichtner · 68bb3fa5 · 1e5fb3e3 · 1e5fb3e3
Commit 1e5fb3e3 authored Jan 25, 2016 by Franco Fichtner
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 2 deletions

guiconfig.inc src/www/guiconfig.inc +7 -1

system_information.widget.php src/www/widgets/widgets/system_information.widget.php +1 -1

No files found.
--- a/src/www/guiconfig.inc
+++ b/src/www/guiconfig.inc
 <?php

 /*
-	Copyright (C) 2015 Franco Fichtner <franco@opnsense.org>
+	Copyright (C) 2015-2016 Franco Fichtner <franco@opnsense.org>
 	Copyright (C) 2014 Deciso B.V.
 	Copyright (C) 2004 Scott Ullrich
 	Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
@@ -73,6 +73,12 @@ function get_current_theme()
 	return $theme;
 }

+function html_safe($text)
+{
+	/* gettext() embedded in JavaScript can cause syntax errors */
+	return htmlspecialchars($text, ENT_QUOTES | ENT_HTML401);
+}
+
 /* make sure nothing is cached */
 if (isset($omit_nocacheheaders) && $omit_nocacheheaders) {
 	header("Expires: 0");

--- a/src/www/widgets/widgets/system_information.widget.php
+++ b/src/www/widgets/widgets/system_information.widget.php
@@ -273,7 +273,7 @@ endforeach; ?>
 <script type="text/javascript">
 //<![CDATA[
 	function checkupdate() {
-		jQuery('#updatestatus').html('<span class="text-info"><?= gettext('Fetching... (may take up to 30 seconds)') ?></span>');
+		jQuery('#updatestatus').html('<span class="text-info"><?= html_safe(gettext('Fetching... (may take up to 30 seconds)')) ?></span>');
 		jQuery.ajax({
 			type: "POST",
 			url: '/widgets/widgets/system_information.widget.php',