function testHTMLInjections()
{
$v = new Valid_Widget_Owner();
$this->assertFalse($v->validate("<script>alert(1);</script>"));
$this->assertFalse($v->validate("\"<script>alert(1);</script>"));
$this->assertFalse($v->validate("\"><script>alert(1);</script>"));
$this->assertFalse($v->validate("</textarea><script>alert(1);</script>"));
}
<?php
require_once 'pre.php';
require_once 'common/widget/Widget.class.php';
require_once 'common/widget/WidgetLayoutManager.class.php';
require_once 'common/widget/Valid_Widget.class.php';
$lm = new WidgetLayoutManager();
$request =& HTTPRequest::instance();
$good = false;
$redirect = '/';
$vOwner = new Valid_Widget_Owner('owner');
$vOwner->required();
if ($request->valid($vOwner)) {
$owner = $request->get('owner');
$owner_id = (int) substr($owner, 1);
$owner_type = substr($owner, 0, 1);
switch ($owner_type) {
case WidgetLayoutManager::OWNER_TYPE_USER:
$owner_id = user_getid();
$redirect = '/my/';
$good = true;
break;
case WidgetLayoutManager::OWNER_TYPE_GROUP:
$pm = ProjectManager::instance();
if ($project = $pm->getProject($owner_id)) {
$group_id = $owner_id;
$_REQUEST['group_id'] = $_GET['group_id'] = $group_id;
$request->params['group_id'] = $group_id;
//bad!
$redirect = '/projects/' . $project->getUnixName();
$good = true;