gnucash-htdocs master: Multiple changes pushed
John Ralls
jralls at code.gnucash.org
Wed Aug 11 17:47:55 EDT 2021
Updated via https://github.com/Gnucash/gnucash-htdocs/commit/93dd807b (commit)
via https://github.com/Gnucash/gnucash-htdocs/commit/c15cd8c4 (commit)
via https://github.com/Gnucash/gnucash-htdocs/commit/8b401283 (commit)
via https://github.com/Gnucash/gnucash-htdocs/commit/9403a7fc (commit)
via https://github.com/Gnucash/gnucash-htdocs/commit/0d7df218 (commit)
via https://github.com/Gnucash/gnucash-htdocs/commit/3f869d4d (commit)
from https://github.com/Gnucash/gnucash-htdocs/commit/3f7f85cc (commit)
commit 93dd807b30c60da08ceebc2acb58d8042d6dff75
Merge: c15cd8c 3f7f85c
Author: John Ralls <jralls at ceridwen.us>
Date: Wed Aug 11 14:45:23 2021 -0700
Merge branch 'master' into beta
commit c15cd8c4283b6c1c15146f97acc042befb03adbe
Author: John Ralls <jralls at ceridwen.us>
Date: Wed Aug 11 14:32:22 2021 -0700
Limit reading of GET parameters to lang and filter that strictly.
diff --git a/2.6-release-tour.phtml b/2.6-release-tour.phtml
index 1f6351f..e889984 100644
--- a/2.6-release-tour.phtml
+++ b/2.6-release-tour.phtml
@@ -3,7 +3,6 @@ include("lang.php");
$title = T_("GnuCash 2.6 release tour");
$description = T_("This tour will introduce you to new major features in <span class=\"gnucash\">GnuCash</span> 2.6.");
$page = basename($_SERVER['SCRIPT_NAME']);
-include("emulate_globals_on.php");
include("$top_dir/externals/header.phtml");
include("$top_dir/externals/menu.phtml");
?>
diff --git a/develdocs.phtml b/develdocs.phtml
index 87b1580..3b3d8c8 100644
--- a/develdocs.phtml
+++ b/develdocs.phtml
@@ -1,5 +1,4 @@
<?php
-include("emulate_globals_on.php");
include("lang.php");
$title = T_("Writing Documentation");
$description = T_("If you are interested in improving the <span class=\"gnucash\">GnuCash</span> documentation, you have come to the right place. This page will provide you with the necessary information to get started.");
diff --git a/docs.phtml b/docs.phtml
index 104f5ee..2b88aed 100644
--- a/docs.phtml
+++ b/docs.phtml
@@ -14,7 +14,6 @@
$pdf = T_("Download documentation as PDF");
$epub = T_("Download documentation as epub");
$mobi = T_("Download documentation as mobipocket");
- include("emulate_globals_on.php");
include("externals/header.phtml");
include("externals/menu.phtml");
?>
diff --git a/donate.phtml b/donate.phtml
index ff409b0..e911133 100644
--- a/donate.phtml
+++ b/donate.phtml
@@ -1,5 +1,4 @@
<?php
- include ("emulate_globals_on.php");
include ("lang.php");
$title = T_ ( "Donations" );
$description = T_("<span class=\"gnucash\">GnuCash</span> is Free Software and is made available free of charge. Your donation, which is purely optional, supports our worldwide community. If you like the software, please consider a donation. We are only a handfull of developers and other volunteers serving countless users worldwide.");
diff --git a/download.phtml b/download.phtml
index a141bcd..3b3ee93 100644
--- a/download.phtml
+++ b/download.phtml
@@ -1,6 +1,5 @@
<?php
$homepage = false;
- include("emulate_globals_on.php");
include("lang.php");
$title = T_("Download");
$description = T_("Download executable bundles of the <span class=\"gnucash\">GnuCash</span> program inclusive documentation or the source files here. Several versions are available for recent and older operating systems.");
diff --git a/emulate_globals_on.php b/emulate_globals_on.php
deleted file mode 100644
index 82b9e02..0000000
--- a/emulate_globals_on.php
+++ /dev/null
@@ -1,13 +0,0 @@
-<?php
- // Emulate register_globals on
- if (!ini_get('register_globals')) {
- $superglobals = array($_SERVER, $_ENV,
- $_FILES, $_COOKIE, $_POST, $_GET);
- if (isset($_SESSION)) {
- array_unshift($superglobals, $_SESSION);
- }
- foreach ($superglobals as $superglobal) {
- extract($superglobal, EXTR_SKIP);
- }
- }
-?>
diff --git a/externals/header.phtml b/externals/header.phtml
index 7394899..4bb81f0 100644
--- a/externals/header.phtml
+++ b/externals/header.phtml
@@ -12,22 +12,28 @@
$full_title = $title." | GnuCash";
if (!isset($description)) {
$description = $default_description;
- };
+ }
# This function will create a link to the given page
# reusing the get parameters that were specified
# with the option to override the language
- function make_lang_href($page, $get_parms, $lang)
+ function make_lang_href($page, $get_parms, $lang="")
{
if (isset($lang) && $lang != "") {
$get_parms["lang"] = $lang;
}
- $url_get_query = http_build_query($get_parms);
- $lang_href = "$page"."?"."$url_get_query";
+ if (in_array($get_parms["lang"], array_values($GLOBALS["supported_languages"]), TRUE) ||
+ array_key_exists($get_parms["lang"], $GLOBALS["supported_languages"])) {
+ $url_get_query = http_build_query($get_parms);
+ $lang_href = "$page"."?"."$url_get_query";
+ } else {
+ $lang_href = "$page";
+ }
return $lang_href;
}
-
- $get_parms = $_GET;
+
+ $input_filter_args = array('lang' => FILTER_SANITIZE_STRING);
+ $get_parms = filter_input_array(INPUT_GET, $input_filter_args);
if (isset($locale)) {
if (substr($locale, 0, 2) != 'zh') {
@@ -63,7 +69,7 @@
?>
<meta property="og:title" content="<?=$full_title?>"/>
<meta property="og:type" content="website"/>
- <meta property="og:url" content="<?=\DEFAULT_URL.filter_var($page, FILTER_SANITIZE_URL)?>"/>
+ <meta property="og:url" content="<?=\DEFAULT_URL.make_lang_href($page, $get_parms)?>"/>
<meta property="og:image" content="<?=\DEFAULT_URL."externals/logo_w120.png"?>"/>
<meta property="og:site_name" content="GnuCash"/>
<meta property="og:description" content="<?=strip_tags($description)?>"/>
diff --git a/features.phtml b/features.phtml
index 8f8b400..476a4a0 100644
--- a/features.phtml
+++ b/features.phtml
@@ -1,5 +1,4 @@
<?php
- include("emulate_globals_on.php");
include("lang.php");
$title = T_("Features");
$description = T_("<span class=\"gnucash\">GnuCash</span> is powerful accounting software. Below are details of some of the numerous features that <span class=\"gnucash\">GnuCash</span> has to offer to its users.");
diff --git a/index.phtml b/index.phtml
index a1c6db2..0a05422 100644
--- a/index.phtml
+++ b/index.phtml
@@ -1,6 +1,5 @@
<?php
$homepage = true;
-include ("emulate_globals_on.php");
include ("lang.php");
$page = basename($_SERVER['SCRIPT_NAME']);
// ^ alternate: __FILE__;
diff --git a/lang.php b/lang.php
index ba553a5..794558d 100644
--- a/lang.php
+++ b/lang.php
@@ -21,7 +21,9 @@ if (array_key_exists('lang_cookie', $_COOKIE)) {
}
# allow user override.
-if (array_key_exists('lang', $_GET)) { $locale = $_GET["lang"]; }
+$get_lang = filter_input(INPUT_GET, 'lang', FILTER_SANITIZE_STRING);
+
+if ($get_lang) { $locale = $get_lang; }
# choose a default language based on the client browser's preferred
# language list
diff --git a/new_features-4.0.phtml b/new_features-4.0.phtml
index ec11236..5f55d79 100644
--- a/new_features-4.0.phtml
+++ b/new_features-4.0.phtml
@@ -1,5 +1,4 @@
<?php
- include("emulate_globals_on.php");
include("lang.php");
$title = T_("Features");;
$description = sprintf (T_("What's New in GnuCash %s"),"4.0");
diff --git a/news.phtml b/news.phtml
index 4df0986..9f8c897 100644
--- a/news.phtml
+++ b/news.phtml
@@ -1,5 +1,4 @@
<?php
-include("emulate_globals_on.php");
include("lang.php");
$title = T_("News");
$description = T_("Announcement of New Releases, Server Maintenance …");
diff --git a/oldnews.phtml b/oldnews.phtml
index 1befbe4..ca9c989 100644
--- a/oldnews.phtml
+++ b/oldnews.phtml
@@ -1,5 +1,4 @@
<?php
-include("emulate_globals_on.php");
include("lang.php");
$title = T_("Older Announcements");
$description = T_("This is an archive of announcements that once appeared on the GnuCash home page.");
diff --git a/sizing.phtml b/sizing.phtml
index 549c078..c8c8bac 100644
--- a/sizing.phtml
+++ b/sizing.phtml
@@ -1,5 +1,4 @@
<?php
-include("emulate_globals_on.php");
include("lang.php");
$title = T_("Sizing");
$description = T_("This is an ancient page about Gnucash's code size.");
diff --git a/viewdoc.phtml b/viewdoc.phtml
index 66b5c55..69489ea 100644
--- a/viewdoc.phtml
+++ b/viewdoc.phtml
@@ -4,7 +4,6 @@
# - help or guide (doc)
# - doc version (rev)
-include("emulate_globals_on.php");
include("lang.php");
// Fixme: It is not trivial to reorder the components to get proper metatags
$title = T_("View document");
commit 8b401283148ba6381c0034333297c689498b9a5c
Author: John Ralls <jralls at ceridwen.us>
Date: Wed Aug 11 14:26:47 2021 -0700
Eliminate extraneous noise after file name in .
Removes XSS vector from the value being added to og:url meta element.
diff --git a/2.6-release-tour.phtml b/2.6-release-tour.phtml
index a6b9897..1f6351f 100644
--- a/2.6-release-tour.phtml
+++ b/2.6-release-tour.phtml
@@ -2,7 +2,7 @@
include("lang.php");
$title = T_("GnuCash 2.6 release tour");
$description = T_("This tour will introduce you to new major features in <span class=\"gnucash\">GnuCash</span> 2.6.");
-$page = $_SERVER['PHP_SELF'];
+$page = basename($_SERVER['SCRIPT_NAME']);
include("emulate_globals_on.php");
include("$top_dir/externals/header.phtml");
include("$top_dir/externals/menu.phtml");
diff --git a/develdocs.phtml b/develdocs.phtml
index 8d09a09..87b1580 100644
--- a/develdocs.phtml
+++ b/develdocs.phtml
@@ -3,7 +3,7 @@ include("emulate_globals_on.php");
include("lang.php");
$title = T_("Writing Documentation");
$description = T_("If you are interested in improving the <span class=\"gnucash\">GnuCash</span> documentation, you have come to the right place. This page will provide you with the necessary information to get started.");
-$page = $_SERVER['PHP_SELF'];
+$page = basename($_SERVER['SCRIPT_NAME']);
include("externals/header.phtml");
include("externals/menu.phtml");
?>
diff --git a/docs.phtml b/docs.phtml
index b5dad0b..104f5ee 100644
--- a/docs.phtml
+++ b/docs.phtml
@@ -9,7 +9,7 @@
include("lang.php");
$title = T_("Documentation");
$description = T_("The following links are to the <strong>English HTML editions of the current stable branch</strong> documentation. See further down the page for other <span class=\"gnucash\">GnuCash</span> versions, languages, and formats.");
- $page = $_SERVER['PHP_SELF'];
+ $page = basename($_SERVER['SCRIPT_NAME']);
$online = T_("Browse documentation online");
$pdf = T_("Download documentation as PDF");
$epub = T_("Download documentation as epub");
diff --git a/donate.phtml b/donate.phtml
index c492eb3..ff409b0 100644
--- a/donate.phtml
+++ b/donate.phtml
@@ -3,7 +3,7 @@
include ("lang.php");
$title = T_ ( "Donations" );
$description = T_("<span class=\"gnucash\">GnuCash</span> is Free Software and is made available free of charge. Your donation, which is purely optional, supports our worldwide community. If you like the software, please consider a donation. We are only a handfull of developers and other volunteers serving countless users worldwide.");
- $page = $_SERVER['PHP_SELF'];
+ $page = basename($_SERVER['SCRIPT_NAME']);
include ("externals/header.phtml");
include ("externals/menu.phtml");
?>
diff --git a/download.phtml b/download.phtml
index 1948188..a141bcd 100644
--- a/download.phtml
+++ b/download.phtml
@@ -4,7 +4,7 @@
include("lang.php");
$title = T_("Download");
$description = T_("Download executable bundles of the <span class=\"gnucash\">GnuCash</span> program inclusive documentation or the source files here. Several versions are available for recent and older operating systems.");
- $page = $_SERVER['PHP_SELF'];
+ $page = basename($_SERVER['SCRIPT_NAME']);
include("externals/header.phtml");
include("externals/menu.phtml");
?>
diff --git a/features.phtml b/features.phtml
index c0a0135..8f8b400 100644
--- a/features.phtml
+++ b/features.phtml
@@ -3,7 +3,7 @@
include("lang.php");
$title = T_("Features");
$description = T_("<span class=\"gnucash\">GnuCash</span> is powerful accounting software. Below are details of some of the numerous features that <span class=\"gnucash\">GnuCash</span> has to offer to its users.");
- $page = $_SERVER['PHP_SELF'];
+ $page = basename($_SERVER['SCRIPT_NAME']);
include("$top_dir/externals/header.phtml");
include("$top_dir/externals/menu.phtml");
?>
diff --git a/index.phtml b/index.phtml
index 4b0e16a..a1c6db2 100644
--- a/index.phtml
+++ b/index.phtml
@@ -2,7 +2,7 @@
$homepage = true;
include ("emulate_globals_on.php");
include ("lang.php");
-$page = $_SERVER['PHP_SELF'];
+$page = basename($_SERVER['SCRIPT_NAME']);
// ^ alternate: __FILE__;
include ("externals/header.phtml");
include ("externals/menu.phtml");
diff --git a/new_features-4.0.phtml b/new_features-4.0.phtml
index d59e25e..ec11236 100644
--- a/new_features-4.0.phtml
+++ b/new_features-4.0.phtml
@@ -3,7 +3,7 @@
include("lang.php");
$title = T_("Features");;
$description = sprintf (T_("What's New in GnuCash %s"),"4.0");
- $page = $_SERVER['PHP_SELF'];
+ $page = basename($_SERVER['SCRIPT_NAME']);
include("$top_dir/externals/header.phtml");
include("$top_dir/externals/menu.phtml");
?>
diff --git a/news.phtml b/news.phtml
index 1947100..4df0986 100644
--- a/news.phtml
+++ b/news.phtml
@@ -3,7 +3,7 @@ include("emulate_globals_on.php");
include("lang.php");
$title = T_("News");
$description = T_("Announcement of New Releases, Server Maintenance …");
-$page = $_SERVER['PHP_SELF'];
+$page = basename($_SERVER['SCRIPT_NAME']);
include("externals/header.phtml");
include("externals/menu.phtml");
?>
diff --git a/oldnews.phtml b/oldnews.phtml
index e3aad01..1befbe4 100644
--- a/oldnews.phtml
+++ b/oldnews.phtml
@@ -3,7 +3,7 @@ include("emulate_globals_on.php");
include("lang.php");
$title = T_("Older Announcements");
$description = T_("This is an archive of announcements that once appeared on the GnuCash home page.");
-$page = $_SERVER['PHP_SELF'];
+$page = basename($_SERVER['SCRIPT_NAME']);
include("externals/header.phtml");
include("externals/menu.phtml");
?>
diff --git a/sizing.phtml b/sizing.phtml
index b986c0b..549c078 100644
--- a/sizing.phtml
+++ b/sizing.phtml
@@ -3,7 +3,7 @@ include("emulate_globals_on.php");
include("lang.php");
$title = T_("Sizing");
$description = T_("This is an ancient page about Gnucash's code size.");
-$page = $_SERVER['PHP_SELF'];
+$page = basename($_SERVER['SCRIPT_NAME']);
include("externals/header.phtml");
include("externals/menu.phtml");
?>
diff --git a/viewdoc.phtml b/viewdoc.phtml
index e184b8b..66b5c55 100644
--- a/viewdoc.phtml
+++ b/viewdoc.phtml
@@ -8,7 +8,7 @@ include("emulate_globals_on.php");
include("lang.php");
// Fixme: It is not trivial to reorder the components to get proper metatags
$title = T_("View document");
-$page = $_SERVER['PHP_SELF'];
+$page = basename($_SERVER['SCRIPT_NAME']);
include("externals/header.phtml");
include("externals/menu.phtml");
commit 9403a7fcb3e4b5b7531c4bb97d4348606f3aacab
Merge: 0d7df21 be872ed
Author: John Ralls <jralls at ceridwen.us>
Date: Wed Aug 11 14:33:00 2021 -0700
Merge branch 'master' into beta
commit 0d7df218dce07ad72c3928661307f26bf2634ae3
Author: John Ralls <jralls at ceridwen.us>
Date: Tue Aug 10 15:44:25 2021 -0700
Revert "More sanitizing."
This reverts commit 3f869d4d8fe628f49ed0356c63accfc6813a1c60.
diff --git a/externals/header.phtml b/externals/header.phtml
index 0256aa9..7394899 100644
--- a/externals/header.phtml
+++ b/externals/header.phtml
@@ -8,30 +8,26 @@
include("$top_dir/externals/global_params.php");
if (!isset($title)) {
$title = $GLOBALS["default_title"];
- }
- $full_title = filter_var($title, FILTER_SANITIZE_FULL_SPECIAL_CHARS)." | GnuCash";
+ };
+ $full_title = $title." | GnuCash";
if (!isset($description)) {
$description = $default_description;
- } else {
- $description = filter_var($description, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
- }
- $page = filter_var($page, FILTER_SANITIZE_URL | FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+ };
# This function will create a link to the given page
# reusing the get parameters that were specified
# with the option to override the language
function make_lang_href($page, $get_parms, $lang)
{
- $query_lang = filter_input(INPUT_GET, $lang, FILTER_SANITIZE_STRING);
- if ($query_lang)
- $get_parms["lang"] = $query_lang;
+ if (isset($lang) && $lang != "") {
+ $get_parms["lang"] = $lang;
}
$url_get_query = http_build_query($get_parms);
$lang_href = "$page"."?"."$url_get_query";
return $lang_href;
}
-
- $get_parms = filter_var($_GET, FILTER_SANITIZE_STRING);
+
+ $get_parms = $_GET;
if (isset($locale)) {
if (substr($locale, 0, 2) != 'zh') {
@@ -54,7 +50,7 @@
<?php } //if ($can_utf)?>
<title><?=$full_title?></title>
- <meta name="description" content="<?=$description?>"/>
+ <meta name="description" content="<?=strip_tags($description)?>"/>
<!--meta properties for facebook Open Graph-->
<meta property="og:locale" content="<?=$locale_str?>"/>
@@ -67,10 +63,10 @@
?>
<meta property="og:title" content="<?=$full_title?>"/>
<meta property="og:type" content="website"/>
- <meta property="og:url" content="<?=\DEFAULT_URL.$page?>"/>
+ <meta property="og:url" content="<?=\DEFAULT_URL.filter_var($page, FILTER_SANITIZE_URL)?>"/>
<meta property="og:image" content="<?=\DEFAULT_URL."externals/logo_w120.png"?>"/>
<meta property="og:site_name" content="GnuCash"/>
- <meta property="og:description" content="<?=$description?>"/>
+ <meta property="og:description" content="<?=strip_tags($description)?>"/>
<?php // end of Open Graph properties?>
<link rel="stylesheet" href="<?=$home?>/externals/gnucash.css" type="text/css" />
commit 3f869d4d8fe628f49ed0356c63accfc6813a1c60
Author: John Ralls <jralls at ceridwen.us>
Date: Tue Aug 10 15:40:41 2021 -0700
More sanitizing.
diff --git a/externals/header.phtml b/externals/header.phtml
index 7394899..0256aa9 100644
--- a/externals/header.phtml
+++ b/externals/header.phtml
@@ -8,26 +8,30 @@
include("$top_dir/externals/global_params.php");
if (!isset($title)) {
$title = $GLOBALS["default_title"];
- };
- $full_title = $title." | GnuCash";
+ }
+ $full_title = filter_var($title, FILTER_SANITIZE_FULL_SPECIAL_CHARS)." | GnuCash";
if (!isset($description)) {
$description = $default_description;
- };
+ } else {
+ $description = filter_var($description, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+ }
+ $page = filter_var($page, FILTER_SANITIZE_URL | FILTER_SANITIZE_FULL_SPECIAL_CHARS);
# This function will create a link to the given page
# reusing the get parameters that were specified
# with the option to override the language
function make_lang_href($page, $get_parms, $lang)
{
- if (isset($lang) && $lang != "") {
- $get_parms["lang"] = $lang;
+ $query_lang = filter_input(INPUT_GET, $lang, FILTER_SANITIZE_STRING);
+ if ($query_lang)
+ $get_parms["lang"] = $query_lang;
}
$url_get_query = http_build_query($get_parms);
$lang_href = "$page"."?"."$url_get_query";
return $lang_href;
}
-
- $get_parms = $_GET;
+
+ $get_parms = filter_var($_GET, FILTER_SANITIZE_STRING);
if (isset($locale)) {
if (substr($locale, 0, 2) != 'zh') {
@@ -50,7 +54,7 @@
<?php } //if ($can_utf)?>
<title><?=$full_title?></title>
- <meta name="description" content="<?=strip_tags($description)?>"/>
+ <meta name="description" content="<?=$description?>"/>
<!--meta properties for facebook Open Graph-->
<meta property="og:locale" content="<?=$locale_str?>"/>
@@ -63,10 +67,10 @@
?>
<meta property="og:title" content="<?=$full_title?>"/>
<meta property="og:type" content="website"/>
- <meta property="og:url" content="<?=\DEFAULT_URL.filter_var($page, FILTER_SANITIZE_URL)?>"/>
+ <meta property="og:url" content="<?=\DEFAULT_URL.$page?>"/>
<meta property="og:image" content="<?=\DEFAULT_URL."externals/logo_w120.png"?>"/>
<meta property="og:site_name" content="GnuCash"/>
- <meta property="og:description" content="<?=strip_tags($description)?>"/>
+ <meta property="og:description" content="<?=$description?>"/>
<?php // end of Open Graph properties?>
<link rel="stylesheet" href="<?=$home?>/externals/gnucash.css" type="text/css" />
Summary of changes:
2.6-release-tour.phtml | 3 +--
develdocs.phtml | 3 +--
docs.phtml | 3 +--
donate.phtml | 3 +--
download.phtml | 3 +--
emulate_globals_on.php | 13 -------------
externals/header.phtml | 20 +++++++++++++-------
features.phtml | 3 +--
index.phtml | 3 +--
lang.php | 4 +++-
new_features-4.0.phtml | 3 +--
news.phtml | 3 +--
oldnews.phtml | 3 +--
sizing.phtml | 3 +--
viewdoc.phtml | 3 +--
15 files changed, 28 insertions(+), 45 deletions(-)
delete mode 100644 emulate_globals_on.php
More information about the gnucash-changes
mailing list