The branch, master has been updated
via 68cb87a81829581e7457c4a8a6fe6b85ef663834 (commit)
from 85fc658f3146d245d88d29085f98c62e686eee13 (commit)
- Log -----------------------------------------------------------------
commit 68cb87a81829581e7457c4a8a6fe6b85ef663834
Author: Marc Delisle <marc(a)infomarc.info>
Date: Fri Sep 9 13:12:24 2011 -0400
Escape HTML in column names and values before json_encode()
-----------------------------------------------------------------------
Summary of changes:
tbl_chart.php | 15 +++++++++++++--
1 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/tbl_chart.php b/tbl_chart.php
index 8caa38e..43de351 100644
--- a/tbl_chart.php
+++ b/tbl_chart.php
@@ -130,14 +130,25 @@ url_query = '<?php echo $url_query;?>';
</div>
<div style="float:left; padding-left:40px;">
<?php echo __('X-Axis label:'); ?> <input
style="margin-top:0;" type="text" name="xaxis_label"
- value="<?php echo ($yaxis == -1) ? __('X Values') :
$keys[$yaxis]; ?>"><br />
+ value="<?php echo ($yaxis == -1) ? __('X Values') :
htmlspecialchars($keys[$yaxis]); ?>"><br />
<?php echo __('Y-Axis label:'); ?> <input type="text"
name="yaxis_label" value="<?php echo __('Y Values');
?>">
</div>
<p style="clear:both;"> </p>
<div id="resizer" style="width:600px; height:400px;">
<div id="inner-resizer">
<div id="querychart" style="display:none;">
- <?php echo json_encode($data); ?>
+<?php
+$sanitized_data = array();
+foreach ($data as $data_row_number => $data_row) {
+ $tmp_row = array();
+ foreach ($data_row as $data_column => $data_value) {
+ $tmp_row[htmlspecialchars($data_column)] = htmlspecialchars($data_value);
+ }
+ $sanitized_data[] = $tmp_row;
+}
+echo json_encode($sanitized_data);
+unset($sanitized_data);
+?>
</div>
</div>
</div>
hooks/post-receive
--
phpMyAdmin