From e824d633ab4483d3afbea66545fb619bd57a4156 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Gro=C3=9Fe?= <grosse@cosmocode.de>
Date: Fri, 19 Jan 2018 16:32:22 +0100
Subject: [PATCH] fix: enforce optional svg & prevent arbitrary html in
html_btn
To prevent abusing this functionality for inserting arbitrary html,
inlineSVG is now called inside the html_btn function.
---
inc/Menu/Item/AbstractItem.php | 2 +-
inc/html.php | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/inc/Menu/Item/AbstractItem.php b/inc/Menu/Item/AbstractItem.php
index e943b5900..45ead5562 100644
--- a/inc/Menu/Item/AbstractItem.php
+++ b/inc/Menu/Item/AbstractItem.php
@@ -182,7 +182,7 @@ abstract class AbstractItem {
$this->method,
$this->getTitle(),
$this->getLabel(),
- inlineSVG($this->getSvg())
+ $this->getSvg()
);
}
diff --git a/inc/html.php b/inc/html.php
index cebff851e..99b0c9986 100644
--- a/inc/html.php
+++ b/inc/html.php
@@ -188,10 +188,10 @@ function html_topbtn(){
* @param string $method
* @param string $tooltip
* @param bool|string $label label text, false: lookup btn_$name in localization
- * @param string $inlineSVG (optional) inlineSVG code, inserted into the button
+ * @param string $svg (optional) svg code, inserted into the button
* @return string
*/
-function html_btn($name, $id, $akey, $params, $method='get', $tooltip='', $label=false, $inlineSVG=null){
+function html_btn($name, $id, $akey, $params, $method='get', $tooltip='', $label=false, $svg=null){
global $conf;
global $lang;
@@ -234,9 +234,9 @@ function html_btn($name, $id, $akey, $params, $method='get', $tooltip='', $label
$ret .= 'accesskey="'.$akey.'" ';
}
$ret .= 'title="'.$tip.'">';
- if ($inlineSVG) {
+ if ($svg) {
$ret .= '<span>' . hsc($label) . '</span>';
- $ret .= $inlineSVG;
+ $ret .= inlineSVG($svg);
} else {
$ret .= hsc($label);
}
--
GitLab