| Index: trunk/extensions/FundraiserLandingPage/FundraiserLandingPage.php |
| — | — | @@ -38,7 +38,7 @@ |
| 39 | 39 | * or not they are passed through the querystring. |
| 40 | 40 | */ |
| 41 | 41 | $wgFundraiserLPDefaults = array( |
| 42 | | - 'template' => 'LandingPage', |
| 43 | | - 'appeal' => 'appeal-brandon-1', |
| 44 | | - 'form' => 'lp-form-US7amounts-extrainfo-noppval' |
| 45 | | -); |
| | 42 | + 'template' => 'Lp-wrapper', |
| | 43 | + 'appeal' => 'Appeal-default', |
| | 44 | + 'form' => 'Form-default' |
| | 45 | +); |
| \ No newline at end of file |
| Index: trunk/extensions/FundraiserLandingPage/FundraiserLandingPage.body.php |
| — | — | @@ -17,31 +17,26 @@ |
| 18 | 18 | $request = $this->getRequest(); |
| 19 | 19 | $this->setHeaders(); |
| 20 | 20 | |
| 21 | | - # load the querystring variables |
| 22 | | - $values = $request->getValues(); |
| 23 | | - |
| 24 | 21 | # clear output variable to be safe |
| 25 | 22 | $output = ''; |
| 26 | 23 | |
| 27 | 24 | # get the required variables to use for the landing page |
| 28 | | - # (escaping with both htmlspecialchars and wfEscapeWikiText since the |
| 29 | | - # parameters are intending to reference templates) |
| 30 | | - $template = wfEscapeWikiText( htmlspecialchars( $request->getText( 'template', $wgFundraiserLPDefaults[ 'template' ] ) ) ); |
| 31 | | - $appeal = wfEscapeWikiText( htmlspecialchars( $request->getText( 'appeal', $wgFundraiserLPDefaults[ 'appeal' ] ) ) ); |
| 32 | | - $form = wfEscapeWikiText( htmlspecialchars( $request->getText( 'form', $wgFundraiserLPDefaults[ 'form' ] ) ) ); |
| | 25 | + $template = $this->make_safe( $request->getText( 'template', $wgFundraiserLPDefaults[ 'template' ] ) ); |
| | 26 | + $appeal = $this->make_safe( $request->getText( 'appeal', $wgFundraiserLPDefaults[ 'appeal' ] ) ); |
| | 27 | + $form = $this->make_safe( $request->getText( 'form', $wgFundraiserLPDefaults[ 'form' ] ) ); |
| 33 | 28 | |
| 34 | 29 | # begin generating the template call |
| 35 | 30 | $output .= "{{ $template\n| appeal = $appeal\n| form = $form\n"; |
| 36 | 31 | |
| 37 | 32 | # add any parameters passed in the querystring |
| 38 | | - foreach ( $values as $k=>$v ) { |
| | 33 | + foreach ( $request->getValues() as $k_unsafe => $v_unsafe ) { |
| 39 | 34 | # skip the required variables |
| 40 | | - if ( $k == "template" || $k == "appeal" || $k == "form" ) { |
| | 35 | + if ( $k_unsafe == "template" || $k_unsafe == "appeal" || $k_unsafe == "form" ) { |
| 41 | 36 | continue; |
| 42 | 37 | } |
| 43 | 38 | # get the variables name and value |
| 44 | | - $key = wfEscapeWikiText( htmlspecialchars( $k ) ); |
| 45 | | - $val = wfEscapeWikiText( htmlspecialchars( $v ) ); |
| | 39 | + $key = $this->make_safe( $k_unsafe ); |
| | 40 | + $val = $this->make_safe( $v_unsafe ); |
| 46 | 41 | # print to the template in wiki-syntax |
| 47 | 42 | $output .= "| $key = $val\n"; |
| 48 | 43 | } |
| — | — | @@ -51,4 +46,22 @@ |
| 52 | 47 | # print the output to the page |
| 53 | 48 | $this->getOutput()->addWikiText( $output ); |
| 54 | 49 | } |
| | 50 | + |
| | 51 | + /** |
| | 52 | + * This function limits the possible charactes passed as template keys and |
| | 53 | + * values to letters, numbers, hypens and underscores. The function also |
| | 54 | + * performs standard escaping of the passed values. |
| | 55 | + * |
| | 56 | + * @param $string The unsafe string to escape and check for invalid characters |
| | 57 | + * @return mixed|String A string matching the regex or an empty string |
| | 58 | + */ |
| | 59 | + function make_safe( $string ) { |
| | 60 | + $num = preg_match( '([a-zA-Z0-9_-]+)', $string, $matches ); |
| | 61 | + |
| | 62 | + if ( $num == 1 ){ |
| | 63 | + # theoretically this is overkill, but better safe than sorry |
| | 64 | + return wfEscapeWikiText( htmlspecialchars( $matches[0] ) ); |
| | 65 | + } |
| | 66 | + return ''; |
| | 67 | + } |
| 55 | 68 | } |
| \ No newline at end of file |