Cleanup last_message to use urlencode()

soewarsono · Dec 28, 2015 · 3b2128e · 3b2128e
1 parent c5978c4
commit 3b2128e
Show file tree

Hide file tree

Showing 11 changed files with 42 additions and 48 deletions.
diff --git a/add.php b/add.php
@@ -227,12 +227,12 @@ function is invoked. After the data is loaded for the chosen department, if the
         // Check to make sure the dir is available and writable
         if (!is_dir($GLOBALS['CONFIG']['dataDir'])) {
             $last_message=$GLOBALS['CONFIG']['dataDir'] . ' missing!';
-            header('Location:error.php?ec=23&last_message=' .$last_message);
+            header('Location:error.php?ec=23&last_message=' . urlencode($last_message));
             exit;
         } else {
             if (!is_writable($GLOBALS['CONFIG']['dataDir'])) {
                 $last_message=msg('message_folder_perms_error'). ': ' . $GLOBALS['CONFIG']['dataDir'] . ' ' . msg('message_not_writable');
-                header('Location:error.php?ec=23&last_message=' .$last_message);
+                header('Location:error.php?ec=23&last_message=' . urlencode($last_message));
                 exit;
             }
         }
@@ -406,7 +406,7 @@ function is invoked. After the data is loaded for the chosen department, if the
         callPluginMethod('onAfterAdd', $fileId);
     }
 
-    header('Location: details.php?id=' . $fileId . '&last_message=' . $message);
+    header('Location: details.php?id=' . $fileId . '&last_message=' . urlencode($message));
     exit;
 }
 draw_footer();
diff --git a/category.php b/category.php
@@ -42,8 +42,7 @@
 if (isset($_GET['submit']) && $_GET['submit'] == 'add') {
     draw_header(msg('area_add_new_category'), $last_message);
     ?>
-    <form id="categoryAddForm" action="category.php?last_message=<?php echo e::h($last_message);
-    ?>" method="GET" enctype="multipart/form-data">
+    <form id="categoryAddForm" action="category.php" method="GET" enctype="multipart/form-data">
         <table border="0" cellspacing="5" cellpadding="5">
             <tr>
                 <td><b><?php echo msg('category')?></b></td>
@@ -81,7 +80,7 @@
 
     // back to main page
     $last_message = urlencode(msg('message_category_successfully_added'));
-    header('Location:admin.php?last_message=' . $last_message);
+    header('Location:admin.php?last_message=' . urlencode($last_message));
 } elseif (isset($_REQUEST['submit']) && $_REQUEST['submit'] == 'delete') {
     // If demo mode, don't allow them to update the demo account
     if ($GLOBALS['CONFIG']['demo'] == 'True') {
@@ -166,8 +165,8 @@
     ));
 
     // back to main page
-    $last_message = urlencode(msg('message_category_successfully_deleted') . ' id:' . $_REQUEST['id']);
-    header('Location: admin.php?last_message=' . $last_message);
+    $last_message = msg('message_category_successfully_deleted') . ' id:' . $_REQUEST['id'];
+    header('Location: admin.php?last_message=' . urlencode($last_message));
 } elseif (isset($_REQUEST['submit']) && $_REQUEST['submit'] == 'deletepick') {
     $deletepick='';
     draw_header(msg('area_delete_category'). ' : ' .msg('choose'), $last_message);
@@ -229,8 +228,7 @@
         echo '</tr>';
     }
     ?>
-<form action="admin.php?last_message=<?php echo e::h($last_message);
-    ?>" method="POST" enctype="multipart/form-data">
+<form action="admin.php" method="POST" enctype="multipart/form-data">
     <tr>
         <td colspan="4" align="center"><div class="buttons"><button class="regular" type="submit" name="submit" value="Back"><?php echo msg('button_back')?></button></div></td>
     </tr>
@@ -256,7 +254,6 @@
     ?>
     <table border="0" cellspacing="5" cellpadding="5">
         <form action="<?php echo $_SERVER['PHP_SELF'];
-    ?>?last_message=<?php echo e::h($last_message);
     ?>" method="POST" enctype="multipart/form-data">
             <input type="hidden" name="state" value="<?php echo(e::h($_REQUEST['state']+1));
     ?>">
@@ -292,8 +289,7 @@
 } elseif (isset($_REQUEST['submit']) && $_REQUEST['submit'] == 'Update') {
     draw_header(msg('area_update_category'), $last_message);
     ?>
-<form id="updateCategoryForm" action="category.php?last_message=<?php echo e::a($last_message);
-    ?>" method="POST" enctype="multipart/form-data">
+<form id="updateCategoryForm" action="category.php" method="POST" enctype="multipart/form-data">
     <table border="0" cellspacing="5" cellpadding="5">
         <tr>
 <?php
@@ -391,9 +387,9 @@
     ));
 
     // back to main page
-    $last_message = urlencode(msg('message_category_successfully_updated') .' : ' . $_REQUEST['name']);
-    header('Location: admin.php?last_message=' . $last_message);
+    $last_message = msg('message_category_successfully_updated') .' : ' . $_REQUEST['name'];
+    header('Location: admin.php?last_message=' . urlencode($last_message));
 } elseif (isset($_REQUEST['cancel']) && $_REQUEST['cancel'] == 'Cancel') {
-    $last_message=urlencode(msg('message_action_cancelled'));
-    header('Location: admin.php?last_message=' . $last_message);
+    $last_message = msg('message_action_cancelled');
+    header('Location: admin.php?last_message=' . urlencode($last_message));
 }
diff --git a/delete.php b/delete.php
@@ -44,7 +44,7 @@
         // Make sure directory is writable
         if (!mkdir($GLOBALS['CONFIG']['archiveDir'], 0775)) {
             $last_message='Could not create ' . $GLOBALS['CONFIG']['archiveDir'];
-            header('Location:error.php?ec=23&last_message=' . $last_message);
+            header('Location:error.php?ec=23&last_message=' . urlencode($last_message));
             exit;
         }
     }
@@ -70,7 +70,7 @@
     // Call the plugin API call for this section
     callPluginMethod('onAfterArchiveFile');
 
-    header('Location: out.php?last_message=' . $last_message);
+    header('Location: out.php?last_message=' . urlencode($last_message));
 } elseif (isset($_REQUEST['mode']) && $_REQUEST['mode'] == 'view_del_archive') {
 
     //publishable=2 for archive deletion
@@ -109,7 +109,7 @@
             exit;
         }
     }
-    header('Location:' . $redirect . '?last_message=' . msg('undeletepage_file_permanently_deleted'));
+    header('Location:' . urlencode($redirect) . '?last_message=' . urlencode(msg('undeletepage_file_permanently_deleted')));
 } elseif (isset($_REQUEST['submit']) && $_REQUEST['submit'] == 'Undelete') {
     if (isset($_REQUEST['checkbox'])) {
         foreach ($_REQUEST['checkbox'] as $fileId) {
@@ -118,7 +118,7 @@
             fmove($GLOBALS['CONFIG']['archiveDir'] . $fileId . '.dat', $GLOBALS['CONFIG']['dataDir'] . $fileId . '.dat');
         }
     }
-    header('Location:' . $redirect . '?last_message=' . msg('undeletepage_file_undeleted'));
+    header('Location:' . urlencode($redirect) . '?last_message=' . urlencode(msg('undeletepage_file_undeleted')));
 }
 
 draw_footer();

diff --git a/department.php b/department.php
@@ -96,7 +96,7 @@
     if ($department == '') {
         $last_message=msg('departmentpage_department_name_required');
 
-        header('Location: admin.php?last_message=' . $last_message);
+        header('Location: admin.php?last_message=' . urlencode($last_message));
         exit;
     }
     //Check to see if this department is already in DB
@@ -106,7 +106,7 @@
     $result = $stmt->fetchAll();
 
     if ($stmt->rowCount() != 0) {
-        header('Location: error.php?ec=3&message=' . htmlentities($department) . ' already exist in the database');
+        header('Location: error.php?ec=3&message=' . urlencode($department) . ' already exist in the database');
         exit;
     }
 
@@ -140,7 +140,7 @@
 
     $num_rows = $stmt->rowCount();
     if ($num_rows != 1) {
-        header('Location: error.php?ec=14&message=unable to identify ' . $department);
+        header('Location: error.php?ec=14&message=' . urlencode('unable to identify ' . $department));
         exit;
     }
 
@@ -171,7 +171,7 @@
     // Call the plugin API
     callPluginMethod('onDepartmentAddSave', $result['id']);
 
-    header('Location: admin.php?last_message=' . $last_message);
+    header('Location: admin.php?last_message=' . urlencode($last_message));
 } elseif (isset($_POST['submit']) && $_POST['submit'] == 'Show Department') {
     // query to show item
     draw_header(msg('area_department_information'), $last_message);
@@ -213,8 +213,7 @@
         echo '<tr><td colspan="2">' . e::h($row['first_name']) . ' ' . e::h($row['last_name']) . '</td></tr>';
     }
     ?>
-                        <form action="admin.php?last_message=<?php echo e::h($last_message);
-    ?>" method="POST" enctype="multipart/form-data">
+                        <form action="admin.php" method="POST" enctype="multipart/form-data">
                             <tr>
                                 <td colspan="4" align="center"><div class="buttons"><button class="regular" type="Submit" name="" value="Back"><?php echo msg('button_back')?></button></div></td>
                             </tr>
@@ -228,7 +227,6 @@
     ?>
                             <table border="0" cellspacing="5" cellpadding="5">
                                 <form action="<?php echo $_SERVER['PHP_SELF'];
-    ?>?last_message=<?php echo e::h($last_message);
     ?>" method="POST" enctype="multipart/form-data">
                                     <tr>
                                     <input type="hidden" name="state" value="<?php echo(e::h($_GET['state']+1));
@@ -418,8 +416,8 @@
     $stmt->execute(array(':id' => $_REQUEST['id']));
 
     // back to main page
-    $last_message = urlencode(msg('message_all_actions_successfull') . ' id:' . (int) $_REQUEST['id']);
-    header('Location: admin.php?last_message=' . $last_message);
+    $last_message = msg('message_all_actions_successfull') . ' id:' . (int) $_REQUEST['id'];
+    header('Location: admin.php?last_message=' . urlencode($last_message));
 } elseif (isset($_REQUEST['submit']) && $_REQUEST['submit'] == 'modify') {
     $dept_obj = new Department($_REQUEST['item'], $pdo);
     draw_header(msg('area_update_department') .': ' . $dept_obj->getName(), $last_message);
@@ -527,7 +525,7 @@
     if ($name == '') {
         $last_message=msg('departmentpage_department_name_required');
 
-        header('Location: admin.php?last_message=' . $last_message);
+        header('Location: admin.php?last_message=' . urlencode($last_message));
         exit;
     }
 
@@ -541,7 +539,7 @@
     $result = $stmt->fetchAll();
 
     if ($stmt->rowCount() != 0) {
-        header('Location: error.php?ec=3&last_message=' . $_POST['name'] . ' already exist in the database');
+        header('Location: error.php?ec=3&last_message=' . urlencode($_POST['name'] . ' already exist in the database'));
         exit;
     }
 
@@ -559,7 +557,7 @@
     // Call the plugin API
     callPluginMethod('onDepartmentModifySave', $_REQUEST);
 
-    header('Location: admin.php?last_message=' . $last_message);
+    header('Location: admin.php?last_message=' . urlencode($last_message));
 } elseif (isset($_REQUEST['submit']) and $_REQUEST['submit'] == 'Cancel') {
     header('Location: admin.php?last_message=' . urlencode(msg('message_action_cancelled')));
 } else {

diff --git a/edit.php b/edit.php
@@ -265,13 +265,13 @@
         $update_dept_perms_stmt->execute();
     }
 
-    $message = urlencode('Document successfully updated');
+    $message = 'Document successfully updated';
 
     AccessLog::addLogEntry($fileId, 'M', $pdo);
 
     // Call the plugin API
     callPluginMethod('onAfterEditFile', $fileId);
 
-    header('Location: details.php?id=' . $fileId . '&last_message=' . $message);
+    header('Location: details.php?id=' . $fileId . '&last_message=' . urlencode($message));
 }
 draw_footer();
diff --git a/functions.php b/functions.php
@@ -149,7 +149,7 @@ function draw_header($pageTitle, $lastmessage = '')
 
 function draw_error($message)
 {
-    echo '<div id="last_message">' . htmlspecialchars($message) . '</div>';
+    echo '<div id="last_message">' . e::h($message) . '</div>';
 }
 
 function draw_footer()

diff --git a/rejects.php b/rejects.php
@@ -95,7 +95,7 @@
             $file_obj->Publishable(0);
         }
     }
-    header('Location:' . $_SERVER['PHP_SELF'] . '?mode=' . @$_REQUEST['mode'] . '&last_message='. msg('message_file_authorized'));
+    header('Location:' . $_SERVER['PHP_SELF'] . '?mode=' . urlencode(@$_REQUEST['mode']) . '&last_message='. urlencode(msg('message_file_authorized')));
 } elseif ($_POST['submit'] == 'delete') {
     if (!isset($_REQUEST['checkbox'])) {
         header('Location: ' .$_SERVER['PHP_SELF'] . '?last_message=' . urlencode(msg('message_you_did_not_enter_value')));
@@ -114,7 +114,7 @@
         }
         $url = substr($url, 0, strlen($url)-1);
     }
-    header('Location:'.$url.'&num_checkboxes=' . $loop);
+    header('Location:'. urlencode($url) .'&num_checkboxes=' . urlencode($loop));
 }
 
 ?>

diff --git a/toBePublished.php b/toBePublished.php
@@ -272,6 +272,6 @@
     echo $file_obj->getReviewerComments();
 } elseif (isset($_REQUEST['submit']) && $_REQUEST['submit'] == 'Cancel') {
     $last_message=urlencode(msg('message_action_cancelled'));
-    header('Location: toBePublished.php?last_message=' . $last_message);
+    header('Location: toBePublished.php?last_message=' . urlencode($last_message));
 }
     draw_footer();
diff --git a/udf.php b/udf.php
@@ -51,7 +51,7 @@
     udf_functions_add_udf();
 
     $last_message = urlencode(msg('message_udf_successfully_added') . ': ' . $_REQUEST['display_name']);
-    header('Location: admin.php?last_message=' . $last_message);
+    header('Location: admin.php?last_message=' . urlencode($last_message));
 } elseif (isset($_REQUEST['submit']) && ($_REQUEST['submit'] == 'delete') && (isset($_REQUEST['item']))) {
 
     draw_header(msg('label_delete') . ' ' . msg('label_user_defined_fields'), $last_message);
@@ -85,7 +85,7 @@
 
     // back to main page
     $last_message = urlencode(msg('message_udf_successfully_deleted') . ': id=' . $_REQUEST['id']);
-    header('Location: admin.php?last_message=' . $last_message);
+    header('Location: admin.php?last_message=' . urlencode($last_message));
 } elseif (isset($_REQUEST['submit']) && $_REQUEST['submit'] == 'deletepick') {
     draw_header(msg('select') . ' ' . msg('label_user_defined_fields'), $last_message);
 
@@ -109,7 +109,7 @@
     draw_footer();
 } elseif (isset($_REQUEST['cancel']) && $_REQUEST['cancel'] == 'Cancel') {
     $last_message = urlencode('Action canceled');
-    header('Location: admin.php?last_message=' . $last_message);
+    header('Location: admin.php?last_message=' . urlencode($last_message));
 } elseif (isset($_REQUEST['submit']) && $_REQUEST['submit'] == 'edit') {
 
     draw_header(msg('edit') . ' ' . msg('label_user_defined_field'), $last_message);

diff --git a/udf_functions.php b/udf_functions.php
@@ -567,12 +567,12 @@ function udf_functions_add_udf()
         global $pdo;
 
         if (empty($_REQUEST['table_name'])) {
-            header('Location: admin.php?last_message=' . msg('message_udf_cannot_be_blank'));
+            header('Location: admin.php?last_message=' . urlencode(msg('message_udf_cannot_be_blank')));
             exit;
         }
 
         if (empty($_REQUEST['display_name'])) {
-            header('Location: admin.php?last_message=' . msg('message_udf_cannot_be_blank'));
+            header('Location: admin.php?last_message=' . urlencode(msg('message_udf_cannot_be_blank')));
             exit;
         }
 

diff --git a/user.php b/user.php
@@ -193,7 +193,7 @@
         // Call the plugin API call for this section
         callPluginMethod('onAfterAddUser');
 
-        header('Location: admin.php?last_message=' . $last_message);
+        header('Location: admin.php?last_message=' . urlencode($last_message));
     }
 } elseif (isset($_POST['submit']) && 'Delete User' == $_POST['submit']) {
     // Make sure they are an admin
@@ -224,7 +224,7 @@
 
     // back to main page
     $last_message = urlencode('#' . $_POST['id'] . ' ' . msg('message_user_successfully_deleted'));
-    header('Location: admin.php?last_message=' . $last_message);
+    header('Location: admin.php?last_message=' . urlencode($last_message));
 } elseif (isset($_REQUEST['submit']) and $_REQUEST['submit'] == 'Delete') {
     // If demo mode, don't allow them to update the demo account
     if (@$GLOBALS['CONFIG']['demo'] == 'True') {
@@ -481,7 +481,7 @@
     // back to main page
 
     $last_message = urlencode(msg('message_user_successfully_updated'));
-    header('Location: out.php?last_message=' . $last_message);
+    header('Location: out.php?last_message=' . urlencode($last_message));
 } elseif (isset($_REQUEST['submit']) and $_REQUEST['submit'] == 'updatepick') {
     draw_header(msg('userpage_modify_user'), $last_message);
 
@@ -509,7 +509,7 @@
     draw_footer();
 } elseif (isset($_REQUEST['cancel']) and $_REQUEST['cancel'] == 'Cancel') {
     $last_message = "Action Cancelled";
-    header('Location: admin.php?last_message=' . $last_message);
+    header('Location: admin.php?last_message=' . urlencode($last_message));
 } else {
     header('Location: admin.php?last_message=' . urlencode('Unrecognizalbe action'));
 }