Commit c231ce31 authored by Steven Wittens's avatar Steven Wittens
Browse files

#97640: Do not xss filter locale strings on import or edit.

parent f46f6abe
......@@ -422,7 +422,6 @@ function _locale_string_edit($lid) {
function _locale_string_edit_submit($form_id, $form_values) {
$lid = $form_values['lid'];
foreach ($form_values['translations'] as $key => $value) {
$value = str_replace('&', '&', filter_xss_admin($value));
$trans = db_fetch_object(db_query("SELECT translation FROM {locales_target} WHERE lid = %d AND locale = '%s'", $lid, $key));
if (isset($trans->translation)) {
db_query("UPDATE {locales_target} SET translation = '%s' WHERE lid = %d AND locale = '%s'", $value, $lid, $key);
......@@ -714,7 +713,7 @@ function _locale_import_one_string($op, $value = NULL, $mode = NULL, $lang = NUL
// Some real string to import
else {
$comments = filter_xss_admin(_locale_import_shorten_comments($value['#']));
$comments = _locale_import_shorten_comments($value['#']);
// Handle a translation for some plural string
if (strpos($value['msgid'], "\0")) {
......@@ -736,11 +735,11 @@ function _locale_import_one_string($op, $value = NULL, $mode = NULL, $lang = NUL
db_query("UPDATE {locales_source} SET location = '%s' WHERE lid = %d", $comments, $lid);
$trans2 = db_fetch_object(db_query("SELECT lid, translation, plid, plural FROM {locales_target} WHERE lid = %d AND locale = '%s'", $lid, $lang));
if (!$trans2->lid) { // no translation in current language
db_query("INSERT INTO {locales_target} (lid, locale, translation, plid, plural) VALUES (%d, '%s', '%s', %d, %d)", $lid, $lang, filter_xss_admin($trans), $plid, $key);
db_query("INSERT INTO {locales_target} (lid, locale, translation, plid, plural) VALUES (%d, '%s', '%s', %d, %d)", $lid, $lang, $trans, $plid, $key);
$additions++;
} // translation exists
else if ($mode == 'overwrite' || $trans2->translation == '') {
db_query("UPDATE {locales_target} SET translation = '%s', plid = %d, plural = %d WHERE locale = '%s' AND lid = %d", filter_xss_admin($trans), $plid, $key, $lang, $lid);
db_query("UPDATE {locales_target} SET translation = '%s', plid = %d, plural = %d WHERE locale = '%s' AND lid = %d", $trans, $plid, $key, $lang, $lid);
if ($trans2->translation == '') {
$additions++;
}
......@@ -750,10 +749,10 @@ function _locale_import_one_string($op, $value = NULL, $mode = NULL, $lang = NUL
}
}
else { // no string
db_query("INSERT INTO {locales_source} (location, source) VALUES ('%s', '%s')", $comments, filter_xss_admin($english[$key]));
db_query("INSERT INTO {locales_source} (location, source) VALUES ('%s', '%s')", $comments, english[$key]);
$loc = db_fetch_object(db_query("SELECT lid FROM {locales_source} WHERE source = '%s'", $english[$key]));
$lid = $loc->lid;
db_query("INSERT INTO {locales_target} (lid, locale, translation, plid, plural) VALUES (%d, '%s', '%s', %d, %d)", $lid, $lang, filter_xss_admin($trans), $plid, $key);
db_query("INSERT INTO {locales_target} (lid, locale, translation, plid, plural) VALUES (%d, '%s', '%s', %d, %d)", $lid, $lang, $trans, $plid, $key);
if ($trans != '') {
$additions++;
}
......@@ -773,11 +772,11 @@ function _locale_import_one_string($op, $value = NULL, $mode = NULL, $lang = NUL
db_query("UPDATE {locales_source} SET location = '%s' WHERE source = '%s'", $comments, $english);
$trans = db_fetch_object(db_query("SELECT lid, translation FROM {locales_target} WHERE lid = %d AND locale = '%s'", $lid, $lang));
if (!$trans->lid) { // no translation in current language
db_query("INSERT INTO {locales_target} (lid, locale, translation) VALUES (%d, '%s', '%s')", $lid, $lang, filter_xss_admin($translation));
db_query("INSERT INTO {locales_target} (lid, locale, translation) VALUES (%d, '%s', '%s')", $lid, $lang, $translation);
$additions++;
} // translation exists
else if ($mode == 'overwrite') { //overwrite in any case
db_query("UPDATE {locales_target} SET translation = '%s' WHERE locale = '%s' AND lid = %d", filter_xss_admin($translation), $lang, $lid);
db_query("UPDATE {locales_target} SET translation = '%s' WHERE locale = '%s' AND lid = %d", $translation, $lang, $lid);
if ($trans->translation == '') {
$additions++;
}
......@@ -794,7 +793,7 @@ function _locale_import_one_string($op, $value = NULL, $mode = NULL, $lang = NUL
db_query("INSERT INTO {locales_source} (location, source) VALUES ('%s', '%s')", $comments, $english);
$loc = db_fetch_object(db_query("SELECT lid FROM {locales_source} WHERE source = '%s'", $english));
$lid = $loc->lid;
db_query("INSERT INTO {locales_target} (lid, locale, translation) VALUES (%d, '%s', '%s')", $lid, $lang, filter_xss_admin($translation));
db_query("INSERT INTO {locales_target} (lid, locale, translation) VALUES (%d, '%s', '%s')", $lid, $lang, $translation);
if ($translation != '') {
$additions++;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment