public function get($name)
{
if (array_key_exists($name, self::$storage)) {
$content = self::$storage[$name];
$escaper = new \Phalcon\Escaper();
return '<meta name="' . $name . '" content="' . $escaper->escapeHtml($content) . '">';
}
}
public function get($name)
{
if (array_key_exists($name, self::$storage)) {
$content = self::$storage[$name];
$escaper = new \Phalcon\Escaper();
return "<meta name=\"{$name}\" content=\"{$escaper->escapeHtml($content)}\">\n";
}
}
<?php
$escaper = new Phalcon\Escaper();
$escaped = $escaper->escapeCss("font-family: <Verdana>");
echo $escaped;
// font\2D family\3A \20 \3C Verdana\3E
public function indexAction()
{
// Compile all social info.
$owner_social = array();
$social_types = $this->config->fa->social->toArray();
$escaper = new \Phalcon\Escaper();
foreach ($social_types as $social_category => $social_items) {
foreach ($social_items as $social_type => $social_info) {
$owner_social_item = $this->owner->contact->{$social_type};
if (empty($owner_social_item)) {
continue;
}
$social_image = $this->url->getStatic('img/contact/' . $social_type . '.gif');
$social_title = $social_info['name'] . ': ' . $escaper->escapeHtmlAttr($owner_social_item);
if ($social_info['format']) {
$social_url = sprintf($social_info['format'], $escaper->escapeUrl($owner_social_item));
$owner_social[] = '<a href="' . $social_url . '" target="_blank"><img class="contacticon" src="' . $social_image . '" title="' . $social_title . '"></a>';
} else {
$owner_social[] = '<img class="contacticon" src="' . $social_image . '" title="' . $social_title . '">';
}
}
}
$this->view->owner_social = $owner_social;
// Commission information
$has_commissions = $this->owner->commission_types->count() == 0;
$this->view->has_commissions = $has_commissions;
$this->view->accept_trades = $this->owner->getVariable('accept_trades');
$this->view->accept_commissions = $this->owner->getVariable('accept_commissions');
// Maturity Rating Filter
if ($this->fa->canSeeArt('adult')) {
$maturity_filter = array(Upload::RATING_GENERAL, Upload::RATING_ADULT, Upload::RATING_MATURE);
} elseif ($this->fa->canSeeArt('mature')) {
$maturity_filter = array(Upload::RATING_GENERAL, Upload::RATING_MATURE);
} else {
$maturity_filter = array(Upload::RATING_GENERAL);
}
// Profile picture.
if ($this->owner->profile_pic) {
$profile_pic = Upload::find($this->owner->profile_pic);
if ($profile_pic instanceof Upload && in_array($profile_pic->rating, $maturity_filter)) {
if ($profile_pic->rating == Upload::RATING_ADULT) {
$this->fa->setPageHasMatureContent();
}
$this->view->profile_pic = $profile_pic;
}
}
// Featured picture
if ($this->owner->featured) {
$featured_pic = Upload::find($this->owner->featured);
if ($featured_pic instanceof Upload && in_array($featured_pic->rating, $maturity_filter)) {
if ($featured_pic->rating == Upload::RATING_ADULT) {
$this->fa->setPageHasMatureContent();
}
$this->view->featured_pic = $featured_pic;
}
}
// Upload data
$uploads = $this->em->createQuery('SELECT up FROM Entity\\Upload up WHERE up.is_scrap = 0 AND up.rating IN (:ratings) AND up.user_id = :user_id ORDER BY up.id DESC')->setParameter('ratings', $maturity_filter)->setParameter('user_id', $this->owner->id)->setMaxResults(14)->execute();
if ($uploads) {
foreach ($uploads as $row) {
if ($row->rating == Upload::RATING_ADULT) {
$this->fa->setPageHasMatureContent();
}
}
$this->view->latest_uploads = $uploads;
}
// Favorite filters
$fav_maturity_filter = $maturity_filter;
if ($this->acl->isAllowed('administer all') || $this->user->id == $this->owner->id) {
$fav_filter = 'n';
} else {
$fav_filter = $this->owner->getVariable('hide_favorites');
}
switch ($fav_filter) {
case 'e':
// hide everything
$fav_maturity_filter = null;
break;
case 'ma':
// hide adult+mature
unset($fav_maturity_filter[Upload::RATING_MATURE], $fav_maturity_filter[Upload::RATING_ADULT]);
break;
case 'a':
// hide adult
unset($fav_maturity_filter[Upload::RATING_ADULT]);
break;
case 'n':
// hide nothing
// hide nothing
default:
// No changes.
break;
}
// Favorites
if (!empty($fav_maturity_filter)) {
$latest_faves = $this->em->createQuery('SELECT f, up FROM Entity\\Favorite f JOIN f.upload up WHERE f.user_id = :user_id AND up.rating IN (:ratings) ORDER BY f.id DESC')->setParameter('user_id', $this->owner->id)->setParameter('ratings', $fav_maturity_filter)->setMaxResults(14)->execute();
if ($latest_faves) {
foreach ($latest_faves as $row) {
if ($row->rating == Upload::RATING_ADULT) {
$this->fa->setPageHasMatureContent();
}
}
$this->view->latest_faves = $latest_faves;
}
}
// Watched by / Is watching counts
$watched_by_count = $this->em->createQuery('SELECT COUNT(w.id) FROM Entity\\Watch w WHERE w.target_id = :user_id')->setParameter('user_id', $this->owner->id)->getSingleScalarResult();
$this->view->num_watched_by = $watched_by_count;
$watching_count = $this->em->createQuery('SELECT COUNT(w.id) FROM Entity\\Watch w WHERE w.user_id = :user_id')->setParameter('user_id', $this->owner->id)->getSingleScalarResult();
$this->view->num_watching = $watching_count;
// Most recent journal
$journal = $this->em->createQuery('SELECT j FROM Entity\\Journal j WHERE j.user_id = :user_id ORDER BY j.id DESC')->setParameter('user_id', $this->owner->id)->setMaxResults(1)->getOneOrNullResult();
$this->view->journal = $journal;
// Shouts
$shouts = $this->em->createQuery('SELECT s, us FROM Entity\\Shout s JOIN s.sender us WHERE s.recipient_id = :user_id ORDER BY s.id DESC')->setParameter('user_id', $this->owner->id)->setMaxResults(12)->execute();
$this->view->shouts = $shouts;
// New shout form.
$shout_form_config = $this->current_module_config->forms->shout->toArray();
$shout_form_config['action'] = $this->url->routeFromHere(array('action' => 'shout'));
$shout_form = new \FA\Form($shout_form_config);
$this->view->shout_form = $shout_form;
}
<?php
//Document title with malicious extra HTML tags
$maliciousTitle = '</title><script>alert(1)</script>';
//Malicious CSS class name
$className = ';`(';
//Malicious CSS font name
$fontName = 'Verdana"</style>';
//Malicious Javascript text
$javascriptText = "';</script>Hello";
//Create an escaper
$e = new Phalcon\Escaper();
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title><?php
echo $e->escapeHtml($maliciousTitle);
?>
</title>
<style type="text/css">
. <?php
echo $e->escapeCss($className);
?>
{
font-family: "<?php
echo $e->escapeCss($fontName);
?>