Changeset 3536:1e44804e7c85

Timestamp:

03/01/17 17:12:40 (9 years ago)

Author:

franck <carnet.franck.paul@…>

Branch:

2.11

Message:

Sanitize filters params, thanks 张恒 (Janes) for report

Location:

admin

Files:

• blogs.php (modified) (4 diffs)
• users.php (modified) (3 diffs)

admin/blogs.php

@@ -67 +67 @@
 
 # - Status filter
-if ($status !== '' && in_array($status,$status_combo)) {
+if ($status !== '' && in_array($status,$status_combo,true)) {
      $params['blog_status'] = $status;
      $show_filters = true;
@@ -75 +75 @@
 
 # - Sortby and order filter
-if ($sortby !== '' && in_array($sortby,$sortby_combo)) {
-     if ($order !== '' && in_array($order,$order_combo)) {
+if ($sortby !== '' && in_array($sortby,$sortby_combo,true)) {
+     if ($order !== '' && in_array($order,$order_combo,true)) {
           $params['order'] = $sortby.' '.$order;
      }
-
-     if ($sortby != 'blog_upddt' || $order != 'desc') {
-          $show_filters = true;
-     }
+} else {
+     $sortby = 'blog_upddt';
+     $order = 'desc';
+}
+if ($sortby != 'blog_upddt' || $order != 'desc') {
+     $show_filters = true;
 }
 
@@ -158 +160 @@
 
      ($core->auth->isSuperAdmin() ?
-          '<div class="two-cols">'.
+          '<div class="two-cols clearfix">'.
           '<p class="col checkboxes-helpers"></p>'.
 
@@ -167 +169 @@
           '</div>'.
 
-          '<div>'.
-          '<p><label for="pwd">'.__('Please give your password to confirm blog(s) deletion:').'</label> '.
+          '<p><label for="pwd" class="classic">'.__('Please give your password to confirm blog(s) deletion:').'</label> '.
           form::password('pwd',20,255).'</p>'.
-          '</div>'.
 
           form::hidden(array('sortby'),$sortby).

admin/users.php

@@ -60 +60 @@
 $q = !empty($_GET['q']) ? $_GET['q'] : '';
 $sortby = !empty($_GET['sortby']) ?     $_GET['sortby'] : 'user_id';
-$order = !empty($_GET['order']) ?       $_GET['order'] : 'asc';
+$order = !empty($_GET['order']) ? $_GET['order'] : 'asc';
 
 $params['limit'] = array((($page-1)*$nb_per_page),$nb_per_page);
@@ -72 +72 @@
 
 # - Sortby and order filter
-if ($sortby !== '' && in_array($sortby,$sortby_combo)) {
+if ($sortby !== '' && in_array($sortby,$sortby_combo,true)) {
      if (array_key_exists($sortby,$sortby_lex)) {
           $params['order'] = $core->con->lexFields($sortby_lex[$sortby]);
@@ -78 +78 @@
           $params['order'] = $sortby;
      }
-     if ($order !== '' && in_array($order,$order_combo)) {
+     if ($order !== '' && in_array($order,$order_combo,true)) {
           $params['order'] .= ' '.$order;
      } else {
           $order='asc';
      }
-
-     if ($sortby != 'user_id' || $order != 'asc') {
-          $show_filters = true;
-     }
 } else {
      $sortby = 'user_id';
      $order = 'asc';
+}
+if ($sortby != 'user_id' || $order != 'asc') {
+     $show_filters = true;
 }