Bugfix: Escape double quotes properly on locations name. #1673

6d6c9e43 · Gary Allan · 113e085d · 6d6c9e43 · 6d6c9e43 · 6d6c9e43
Commit 6d6c9e43 authored Feb 13, 2018 by Gary Allan
--- a/app/tools/locations/all-locations-map.php
+++ b/app/tools/locations/all-locations-map.php
@@ -84,13 +84,13 @@ else {
                    $html = array();
                    foreach ($all_locations as $location) {
                        // description and apostrophe fix
-                        $location->description = strlen($location->description)>0 ? "<span class=\'text-muted\'>".addslashes($location->description)."</span>" : "";
+                        $location->description = strlen($location->description)>0 ? "<span class=\'text-muted\'>".escape_input($location->description)."</span>" : "";
                        $location->description = str_replace(array("\r\n","\n","\r"), "<br>", $location->description );

                        $html[] = "map.addMarker({";
-                        $html[] = " title: \"$location->name\",";
-                        $html[] = " lat: '$location->lat',";
-                        $html[] = " lng: '$location->long',";
+                        $html[] = " title: \"". addslashes($location->name) ."\",";
+                        $html[] = " lat: '". escape_input($location->lat) ."',";
+                        $html[] = " lng: '". escape_input($location->long) ."',";
                        $html[] = " infoWindow: {";
                        $html[] = "    content: '<h5><a href=\'".create_link("tools", "locations", $location->id)."\'>". addslashes($location->name) ."</a></h5>$location->description'";
                        $html[] = "}";

--- a/app/tools/locations/single-location-map.php
+++ b/app/tools/locations/single-location-map.php
@@ -37,7 +37,7 @@ elseif (!isset($gmaps_api_key) || strlen($gmaps_api_key)==0) {
    if( (strlen($location->long)>0 && strlen($location->lat))) {

    // description and apostrophe fix
-    $location->description = strlen($location->description)>0 ? "<span class=\'text-muted\'>".addslashes($location->description)."</span>" : "";
+    $location->description = strlen($location->description)>0 ? "<span class=\'text-muted\'>".escape_input($location->description)."</span>" : "";
    $location->description = str_replace(array("\r\n","\n","\r"), "<br>", $location->description );
    ?>
    <script type="text/javascript">
@@ -47,14 +47,14 @@ elseif (!isset($gmaps_api_key) || strlen($gmaps_api_key)==0) {
            var map = new GMaps({
              div: '#gmap',
              zoom: 15,
-              lat: '<?php print $location->lat; ?>',
-              lng: '<?php print $location->long; ?>'
+              lat: '<?php print escape_input($location->lat); ?>',
+              lng: '<?php print escape_input($location->long); ?>'
            });

            map.addMarker({
-             title: "'<?php print $location->name; ?>'",
-             lat: '<?php print $location->lat; ?>',
-             lng: '<?php print $location->long; ?>',
+             title: "'<?php print addslashes($location->name); ?>'",
+             lat: '<?php print escape_input($location->lat); ?>',
+             lng: '<?php print escape_input($location->long); ?>',
             infoWindow: {
                content: '<h5><a href="<?php print create_link("tools", "locations", $location->id); ?>."\'><?php print addslashes($location->name); ?></a></h5><?php print $location->description; ?>'
             }

--- a/app/tools/locations/single-location.php
+++ b/app/tools/locations/single-location.php
@@ -51,21 +51,21 @@ else {
            	# name
            	print "<tr>";
            	print "	<th>"._('Name')."</th>";
-            	print "	<td><strong>$location->name</strong></td>";
+            	print "	<td><strong>".escape_input($location->name)."</strong></td>";
            	print "</tr>";

            	# address
            	print "<tr>";
            	print "	<th>"._('Address')."</th>";
            	print "	<td>";
-            	print strlen($location->address)>0 ? $location->address : "/";
+            	print strlen($location->address)>0 ? escape_input($location->address) : "/";
            	print "</td>";
            	print "</tr>";

            	print "<tr>";
            	print "	<th>"._('Coordinates')."</th>";
            	print "	<td>";
-            	print strlen($location->lat)>0 && strlen($location->long)>0 ? "<span class='text-muted'>".$location->lat." / ".$location->long."</span>" : "/";
+            	print strlen($location->lat)>0 && strlen($location->long)>0 ? "<span class='text-muted'>".escape_input($location->lat)." / ".escape_input($location->long)."</span>" : "/";
            	print "</td>";
            	print "</tr>";

@@ -79,7 +79,7 @@ else {
            	# description
            	print "<tr>";
            	print "	<th>"._('Description')."</th>";
-            	print "	<td>$location->description</td>";
+            	print "	<td>". escape_input($location->description) ."</td>";
            	print "</tr>";

            	# print custom subnet fields if any