Commit 70000e68 authored by Gerhard Killesreiter's avatar Gerhard Killesreiter
Browse files

#58641, filter inserted locale strings, patch by myself.

parent 52379be1
......@@ -405,6 +405,7 @@ function _locale_string_edit($lid) {
function _locale_string_edit_submit($form_id, $form_values) {
$lid = $form_values['lid'];
foreach ($form_values as $key => $value) {
$value = filter_xss_admin($value);
$trans = db_fetch_object(db_query("SELECT translation FROM {locales_target} WHERE lid = %d AND locale = '%s'", $lid, $key));
if (isset($trans->translation)) {
db_query("UPDATE {locales_target} SET translation = '%s' WHERE lid = %d AND locale = '%s'", $value, $lid, $key);
......@@ -645,7 +646,7 @@ function _locale_import_one_string($value, $mode, $lang = NULL) {
}
// Some real string to import
else {
$comments = _locale_import_shorten_comments($value['#']);
$comments = filter_xss_admin(_locale_import_shorten_comments($value['#']));
// Handle a translation for some plural string
if (strpos($value['msgid'], "\0")) {
......@@ -667,11 +668,11 @@ function _locale_import_one_string($value, $mode, $lang = NULL) {
db_query("UPDATE {locales_source} SET location = '%s' WHERE lid = %d", $comments, $lid);
$trans2 = db_fetch_object(db_query("SELECT lid, translation, plid, plural FROM {locales_target} WHERE lid = %d AND locale = '%s'", $lid, $lang));
if (!$trans2->lid) { // no translation in current language
db_query("INSERT INTO {locales_target} (lid, locale, translation, plid, plural) VALUES (%d, '%s', '%s', %d, %d)", $lid, $lang, $trans, $plid, $key);
db_query("INSERT INTO {locales_target} (lid, locale, translation, plid, plural) VALUES (%d, '%s', '%s', %d, %d)", $lid, $lang, filter_xss_admin($trans), $plid, $key);
$additions++;
} // translation exists
else if ($mode == 'overwrite' || $trans2->translation == '') {
db_query("UPDATE {locales_target} SET translation = '%s', plid = %d, plural = %d WHERE locale = '%s' AND lid = %d", $trans, $plid, $key, $lang, $lid);
db_query("UPDATE {locales_target} SET translation = '%s', plid = %d, plural = %d WHERE locale = '%s' AND lid = %d", filter_xss_admin($trans), $plid, $key, $lang, $lid);
if ($trans2->translation == '') {
$additions++;
}
......@@ -681,10 +682,10 @@ function _locale_import_one_string($value, $mode, $lang = NULL) {
}
}
else { // no string
db_query("INSERT INTO {locales_source} (location, source) VALUES ('%s', '%s')", $comments, $english[$key]);
db_query("INSERT INTO {locales_source} (location, source) VALUES ('%s', '%s')", $comments, filter_xss_admin($english[$key]));
$loc = db_fetch_object(db_query("SELECT lid FROM {locales_source} WHERE source = '%s'", $english[$key]));
$lid = $loc->lid;
db_query("INSERT INTO {locales_target} (lid, locale, translation, plid, plural) VALUES (%d, '%s', '%s', %d, %d)", $lid, $lang, $trans, $plid, $key);
db_query("INSERT INTO {locales_target} (lid, locale, translation, plid, plural) VALUES (%d, '%s', '%s', %d, %d)", $lid, $lang, filter_xss_admin($trans), $plid, $key);
if ($trans != '') {
$additions++;
}
......@@ -704,11 +705,11 @@ function _locale_import_one_string($value, $mode, $lang = NULL) {
db_query("UPDATE {locales_source} SET location = '%s' WHERE source = '%s'", $comments, $english);
$trans = db_fetch_object(db_query("SELECT lid, translation FROM {locales_target} WHERE lid = %d AND locale = '%s'", $lid, $lang));
if (!$trans->lid) { // no translation in current language
db_query("INSERT INTO {locales_target} (lid, locale, translation) VALUES (%d, '%s', '%s')", $lid, $lang, $translation);
db_query("INSERT INTO {locales_target} (lid, locale, translation) VALUES (%d, '%s', '%s')", $lid, $lang, filter_xss_admin($translation));
$additions++;
} // translation exists
else if ($mode == 'overwrite') { //overwrite in any case
db_query("UPDATE {locales_target} SET translation = '%s' WHERE locale = '%s' AND lid = %d", $translation, $lang, $lid);
db_query("UPDATE {locales_target} SET translation = '%s' WHERE locale = '%s' AND lid = %d", filter_xss_admin($translation), $lang, $lid);
if ($trans->translation == '') {
$additions++;
}
......@@ -725,7 +726,7 @@ function _locale_import_one_string($value, $mode, $lang = NULL) {
db_query("INSERT INTO {locales_source} (location, source) VALUES ('%s', '%s')", $comments, $english);
$loc = db_fetch_object(db_query("SELECT lid FROM {locales_source} WHERE source = '%s'", $english));
$lid = $loc->lid;
db_query("INSERT INTO {locales_target} (lid, locale, translation) VALUES (%d, '%s', '%s')", $lid, $lang, $translation);
db_query("INSERT INTO {locales_target} (lid, locale, translation) VALUES (%d, '%s', '%s')", $lid, $lang, filter_xss_admin($translation));
if ($translation != '') {
$additions++;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment