diff --git a/ecrire/balise/formulaire_inscription.php b/ecrire/balise/formulaire_inscription.php
index 0dc97e695131d59e164e8ca856e2e0f98a7841fa..9c51756b2da5bb5e5ff505b3fbb2101478c99a12 100644
--- a/ecrire/balise/formulaire_inscription.php
+++ b/ecrire/balise/formulaire_inscription.php
@@ -115,7 +115,7 @@ function message_inscription($mail, $nom, $mode, $id_rubrique=0) {
if (is_string($declaration))
return $declaration;
- $row = spip_query("SELECT statut, id_auteur, login, email FROM spip_auteurs WHERE email='". addslashes($declaration['email']) . "'");
+ $row = spip_query("SELECT statut, id_auteur, login, email FROM spip_auteurs WHERE email='". addslashes($declaration['email']) . "'");
$row = spip_fetch_array($row);
if (!$row)
diff --git a/ecrire/balise/formulaire_site.php b/ecrire/balise/formulaire_site.php
index 3b9561ad671d60f48769347994a7217188b843e9..0a722c3ab081be53e699ba62a3ec8178d4a3b1e6 100644
--- a/ecrire/balise/formulaire_site.php
+++ b/ecrire/balise/formulaire_site.php
@@ -35,24 +35,27 @@ function balise_FORMULAIRE_SITE_stat($args, $filtres) {
function balise_FORMULAIRE_SITE_dyn($id_rubrique) {
- if (!_request('nom_site'))
+ $nom = _request('nom_site');
+ if (!$nom)
return array('formulaire_site', $GLOBALS['delais'],
array('self' => str_replace('&', '&', self())
));
// Tester le nom du site
- if (strlen (_request('nom_site')) < 2){
+ if (strlen ($nom) < 2){
return _T('form_prop_indiquer_nom_site');
}
// Tester l'URL du site
include_spip('inc/sites');
- if (!recuperer_page(_request('url_site')))
+ $url = _request('url_site');
+ if (!recuperer_page($url))
return _T('form_pet_url_invalide');
// Integrer a la base de donnees
- spip_abstract_insert('spip_syndic', "(nom_site, url_site, id_rubrique, descriptif, date, date_syndic, statut, syndication)", "('" . addslashes(_request('nom_site')) . "', '" . addslashes(_request('url_site')). "', " . intval($id_rubrique) .", '" . addslashes(_request('description_site')) . "', NOW(), NOW(), 'prop', 'non')");
+ $desc = _request('description_site');
+ spip_abstract_insert('spip_syndic', "(nom_site, url_site, id_rubrique, descriptif, date, date_syndic, statut, syndication)", "('" . addslashes($nom) . "', '" . addslashes($url). "', " . intval($id_rubrique) .", '" . addslashes($desc) . "', NOW(), NOW(), 'prop', 'non')");
return _T('form_prop_enregistre');
}
diff --git a/ecrire/base/db_mysql.php b/ecrire/base/db_mysql.php
index ae478859df67ea7be18d31ac1f755c3c4af44431..ec60078b37cb5e2dc4dc36e9c1d75779bb6080f9 100644
--- a/ecrire/base/db_mysql.php
+++ b/ecrire/base/db_mysql.php
@@ -269,8 +269,7 @@ function spip_get_lock($nom, $timeout = 0) {
define('_LOCK_TIME', intval(time()/3600-316982));
$nom .= _LOCK_TIME;
- $nom = addslashes($nom);
- $q = spip_query("SELECT GET_LOCK('$nom', $timeout)");
+ $q = spip_query("SELECT GET_LOCK('" . addslashes($nom) . "', $timeout)");
list($lock_ok) = spip_fetch_array($q);
if (!$lock_ok) spip_log("pas de lock sql pour $nom");
@@ -284,8 +283,7 @@ function spip_release_lock($nom) {
$nom .= _LOCK_TIME;
- $nom = addslashes($nom);
- spip_query("SELECT RELEASE_LOCK('$nom')");
+ spip_query("SELECT RELEASE_LOCK('" . addslashes($nom) . "')");
}
function spip_mysql_version() {
diff --git a/ecrire/exec/install.php b/ecrire/exec/install.php
index ab0309d14dc9e761ae7b4e15c4e7e54f5c38f69e..715382cb4d86ca22e3a18c1afbb1258b7a92c707 100644
--- a/ecrire/exec/install.php
+++ b/ecrire/exec/install.php
@@ -133,13 +133,13 @@ function install_6()
if ($login) {
include_spip('inc/charsets');
- $nom = addslashes(importer_charset($nom, _DEFAULT_CHARSET));
- $login = addslashes(importer_charset($login, _DEFAULT_CHARSET));
- $email = addslashes(importer_charset($email, _DEFAULT_CHARSET));
+ $nom = (importer_charset($nom, _DEFAULT_CHARSET));
+ $login = (importer_charset($login, _DEFAULT_CHARSET));
+ $email = (importer_charset($email, _DEFAULT_CHARSET));
# pour le passwd, bizarrement il faut le convertir comme s'il avait
# ete tape en iso-8859-1 ; car c'est en fait ce que voit md5.js
$pass = unicode2charset(utf_8_to_unicode($pass), 'iso-8859-1');
- $result = spip_query("SELECT id_auteur FROM spip_auteurs WHERE login='$login'");
+ $result = spip_query("SELECT id_auteur FROM spip_auteurs WHERE login='" . addslashes($login) . "'");
unset($id_auteur);
if ($row = spip_fetch_array($result)) $id_auteur = $row['id_auteur'];
@@ -148,10 +148,10 @@ function install_6()
$htpass = generer_htpass($pass);
if ($id_auteur) {
- spip_query("UPDATE spip_auteurs SET nom='$nom', email='$email', login='$login', pass='$mdpass', alea_actuel='', alea_futur=FLOOR(32000*RAND()), htpass='$htpass', statut='0minirezo' WHERE id_auteur=$id_auteur");
+ spip_query("UPDATE spip_auteurs SET nom='" . addslashes($nom) . "', email='" . addslashes($email) . "', login='" . addslashes($login) . "', pass='$mdpass', alea_actuel='', alea_futur=FLOOR(32000*RAND()), htpass='$htpass', statut='0minirezo' WHERE id_auteur=$id_auteur");
}
else {
- spip_query("INSERT INTO spip_auteurs (nom, email, login, pass, htpass, alea_futur, statut) VALUES('$nom','$email','$login','$mdpass','$htpass',FLOOR(32000*RAND()),'0minirezo')");
+ spip_query("INSERT INTO spip_auteurs (nom, email, login, pass, htpass, alea_futur, statut) VALUES('" . addslashes($nom) . "','" . addslashes($email) . "','" . addslashes($login) . "','$mdpass','$htpass',FLOOR(32000*RAND()),'0minirezo')");
}
// inserer email comme email webmaster principal
diff --git a/ecrire/exec/message_edit.php b/ecrire/exec/message_edit.php
index 20db66d40fd96ac4bf67bbcb930c09bf51347862..04448b180814aac3aa61dad75a8f686973436137 100644
--- a/ecrire/exec/message_edit.php
+++ b/ecrire/exec/message_edit.php
@@ -60,8 +60,8 @@ if ($new=='oui') {
if ($type == 'pb') $statut = 'publie';
else $statut = 'redac';
-
- $id_message = spip_abstract_insert("spip_messages", "(titre, date_heure, statut, type, id_auteur)", "('".addslashes(filtrer_entites(_T('texte_nouveau_message')))."', NOW(), '$statut', '$type', $connect_id_auteur)");
+ $titre = filtrer_entites(_T('texte_nouveau_message'));
+ $id_message = spip_abstract_insert("spip_messages", "(titre, date_heure, statut, type, id_auteur)", "('".addslashes($titre)."', NOW(), '$statut', '$type', $connect_id_auteur)");
if ($rv) {
spip_query("UPDATE spip_messages SET rv='oui', date_heure='" . addslashes($rv . ' 12:00:00') ."', date_fin= '" . addslashes($rv . ' 13:00:00') ."' WHERE id_message = $id_message");
diff --git a/ecrire/exec/mots_edit.php b/ecrire/exec/mots_edit.php
index b44e34385b472fc0f8103c6be2154384220cb11e..ee7b9ebf73693d6521dc35d9467253647661626b 100644
--- a/ecrire/exec/mots_edit.php
+++ b/ecrire/exec/mots_edit.php
@@ -262,7 +262,8 @@ if ($connect_statut =="0minirezo" AND $connect_toutes_rubriques){
$row_groupes = spip_fetch_array($result);
if (!$row_groupes) {
// il faut creer un groupe de mots (cas d'un mot cree depuis le script articles)
- $row_groupes['id_groupe'] = spip_abstract_insert("spip_groupes_mots", "(titre, unseul, obligatoire, articles, breves, rubriques, syndic, minirezo, comite, forum)", "('" . addslashes(_T('info_mot_sans_groupe')) . "', 'non', 'non', 'oui', 'oui', 'non', 'oui', 'oui', 'non', 'non'" . ")");
+ $titre = _T('info_mot_sans_groupe');
+ $row_groupes['id_groupe'] = spip_abstract_insert("spip_groupes_mots", "(titre, unseul, obligatoire, articles, breves, rubriques, syndic, minirezo, comite, forum)", "('" . addslashes($titre) . "', 'non', 'non', 'oui', 'oui', 'non', 'oui', 'oui', 'non', 'non'" . ")");
}
echo "<input type='hidden' name='id_groupe' value='".$row_groupes['id_groupe']."'>";
}
diff --git a/ecrire/exec/sites.php b/ecrire/exec/sites.php
index 831218a95c29c191b60e59c142e6cf0606f0cc85..299f9ef5400de0323e57315ef2a6e24adbb924ac 100644
--- a/ecrire/exec/sites.php
+++ b/ecrire/exec/sites.php
@@ -102,20 +102,18 @@ if ($analyser_site == 'oui' AND $flag_editable) {
$v = analyser_site($url);
if ($v) {
- $nom_site = addslashes($v['nom_site']);
- $url_site = addslashes($v['url_site']);
+ $nom_site = ($v['nom_site']);
if (!$nom_site) $nom_site = $url_site;
- $url_syndic = trim(addslashes($v['url_syndic']));
- $descriptif = addslashes($v['descriptif']);
+ $url_syndic = trim($v['url_syndic']);
+ $descriptif = $v['descriptif'];
$syndication = $v[syndic] ? 'oui' : 'non';
- $result = spip_query("UPDATE spip_syndic SET nom_site='$nom_site', url_site='$url_site', url_syndic='$url_syndic', descriptif='$descriptif', syndication='$syndication', statut='$statut' WHERE id_syndic=$id_syndic");
+ $result = spip_query("UPDATE spip_syndic SET nom_site='" . addslashes($nom_site) . "', url_site='" . addslashes($url_site) . "', url_syndic='" . addslashes($url_syndic) . "', descriptif='" . addslashes($descriptif) . "', syndication='$syndication', statut='$statut' WHERE id_syndic=$id_syndic");
if ($syndication == 'oui') syndic_a_jour($id_syndic);
$redirect = generer_url_ecrire('sites',("id_syndic=$id_syndic". ($redirect ? "&redirect=$redirect" : "")), true);
$redirect_ok = 'oui';
}
}
-
//
// Ajout et suppression syndication
//
@@ -136,22 +134,17 @@ if ($nouveau_statut AND $flag_administrable) {
}
if (strval($nom_site)!='' AND $modifier_site == 'oui' AND $flag_editable) {
- $nom_site = addslashes($nom_site);
- $url_site = addslashes($url_site);
- $descriptif = addslashes($descriptif);
if (strlen($url_syndic) < 8) $syndication = "non";
- $url_syndic = trim(addslashes($url_syndic));
+ $url_syndic = trim($url_syndic);
// recoller les champs du extra
if ($champs_extra) {
include_spip('inc/extra');
- $add_extra = ", extra = '".addslashes(extra_recup_saisie("sites"))."'";
+ $add_extra = extra_recup_saisie("sites");
} else
$add_extra = '';
-
-
- spip_query("UPDATE spip_syndic SET id_rubrique='$id_rubrique', nom_site='$nom_site', url_site='$url_site', url_syndic='$url_syndic', descriptif='$descriptif', syndication='$syndication', statut='$statut' $add_extra WHERE id_syndic=$id_syndic");
+ spip_query("UPDATE spip_syndic SET id_rubrique='$id_rubrique', nom_site='" . addslashes($nom_site) . "', url_site='" . addslashes($url_site) . "', url_syndic='" . addslashes($url_syndic) . "', descriptif='" . addslashes($descriptif) . "', syndication='$syndication', statut='$statut'". (!$add_extra ? '' : (", extra = '".addslashes($add_extra)."'")) . " WHERE id_syndic=$id_syndic");
propager_les_secteurs();
diff --git a/ecrire/inc/auth_ldap.php b/ecrire/inc/auth_ldap.php
index 8555bff6290b36384830cd61f628f281d430c4b4..2c6e3e560342472f7c62a6f64fbe16a2cca5570a 100644
--- a/ecrire/inc/auth_ldap.php
+++ b/ecrire/inc/auth_ldap.php
@@ -121,20 +121,17 @@ class Auth_ldap {
}
function activer() {
- $nom = addslashes($this->nom);
- $login = strtolower(addslashes($this->login));
- $email = addslashes($this->email);
- $bio = addslashes($this->bio);
+ $login = strtolower(($this->login));
$statut = $GLOBALS['meta']["ldap_statut_import"];
if (!$statut) return false;
// Si l'auteur n'existe pas, l'inserer avec le statut par defaut (defini a l'install)
- $n = spip_num_rows(spip_query("SELECT id_auteur FROM spip_auteurs WHERE login='$login'"));
+ $n = spip_num_rows(spip_query("SELECT id_auteur FROM spip_auteurs WHERE login='" . addslashes($login) . "'"));
if ($n) return false;
- $n = spip_query("INSERT IGNORE INTO spip_auteurs (source, nom, login, email, bio, statut, pass) VALUES ('ldap', '$nom', '$login', '$email', '$bio', '$statut', '')");
+ $n = spip_query("INSERT IGNORE INTO spip_auteurs (source, nom, login, email, bio, statut, pass) VALUES ('ldap', '" . addslashes($this->nom) . "', '" . addslashes($login) . "', '" . addslashes($this->email) . "', '" . addslashes($this->bio) . "', '$statut', '')");
return $n;
}
diff --git a/ecrire/inc/barre.php b/ecrire/inc/barre.php
index 7530ab242e837fd359b7bf773cc0524e91ecab10..bafa63240f73af137d42ac211abf1f4ceb9ef72c 100644
--- a/ecrire/inc/barre.php
+++ b/ecrire/inc/barre.php
@@ -61,15 +61,15 @@ function afficher_barre($champ, $forum=false, $lang='') {
$col ++;
// Lien hypertexte, notes de bas de page, citations
- $ret .= bouton_barre_racc ("barre_demande('[','->',']', '".addslashes(_T('barre_lien_input'))."', $champ)",
+ $js = addslashes(_T('barre_lien_input'));
+ $ret .= bouton_barre_racc ("barre_demande('[','->',']', '$js', $champ)",
"lien.png", _T('barre_lien'), $champhelp);
if (!$forum) {
$ret .= bouton_barre_racc ("barre_raccourci('[[',']]',$champ)", "notes.png", _T('barre_note'), $champhelp);
- }
- if ($forum) {
- $ret .= " </td>\n<td>";
+ } else {
$col ++;
- $ret .= bouton_barre_racc ("barre_raccourci('\n\n<quote>','</quote>\n\n',$champ)", "quote.png", _T('barre_quote'), $champhelp);
+ $ret .= " </td>\n<td>"
+ . bouton_barre_racc ("barre_raccourci('\n\n<quote>','</quote>\n\n',$champ)", "quote.png", _T('barre_quote'), $champhelp);
}
$ret .= " </td>";
diff --git a/ecrire/inc/getdocument.php b/ecrire/inc/getdocument.php
index ce4ecf58b43cc934785f171222197a37adcdfbb5..20f7e9e9e9e38fe9a109cf9a4af26c116a63e239 100644
--- a/ecrire/inc/getdocument.php
+++ b/ecrire/inc/getdocument.php
@@ -359,9 +359,7 @@ function ajouter_un_document ($source, $nom_envoye, $type_lien, $id_lien, $mode,
// passe "mode=document" et "id_document=.." (pas utilise)
if (!$id_document) {
// Inserer le nouveau doc et recuperer son id_
- $id_document = spip_abstract_insert("spip_documents",
- "(id_type, titre, date, distant)",
- "($id_type, '".addslashes($titre)."', NOW(), '$distant')");
+ $id_document = spip_abstract_insert("spip_documents", "(id_type, titre, date, distant)", "($id_type, '".addslashes($titre)."', NOW(), '$distant')");
if ($id_lien
AND preg_match('/^[a-z0-9_]+$/i', $type_lien) # securite
diff --git a/ecrire/inc/import.php b/ecrire/inc/import.php
index 42c79664b0e7cd776b3d6dc924590554ebe0240d..23f04c2528d5b820fa211c801e83d5a6ede195b7 100644
--- a/ecrire/inc/import.php
+++ b/ecrire/inc/import.php
@@ -234,7 +234,7 @@ function import_objet_1_2($f, $gz=false) {
}
else {
$cols[] = $col;
- $values[] = '"'.addslashes($value).'"';
+ $values[] = "'" . addslashes($value) ."'";
if ($col == $id) $id_objet = $value;
}
}
@@ -326,7 +326,7 @@ function import_objet_0_0($f, $gz=false) {
}
else if ($col != 'maj') {
$cols[] = $col;
- $values[] = '"'.addslashes($value).'"';
+ $values[] = "'" . addslashes($value) ."'";
if ($is_art && ($col == 'id_article')) $id_article = $value;
if ($is_mot && ($col == 'id_mot')) $id_mot = $value;
}
diff --git a/ecrire/inc/presentation.php b/ecrire/inc/presentation.php
index 6314ba9648af1b6fb3755110af1d0953d46dfa2d..94d2cb3745de8540fae7cba7fe4f850dfe457323 100644
--- a/ecrire/inc/presentation.php
+++ b/ecrire/inc/presentation.php
@@ -1560,16 +1560,16 @@ function envoi_link($nom_site_spip, $rubrique="") {
// CSS par defaut /spip_style.css
$res = '<link rel="stylesheet" type="text/css" href="'
- . find_in_path('spip_style.css').'" />'
+ . find_in_path('spip_style.css').'" />' . "\n"
// CSS de secours en cas de non fonct de la suivante
. '<link rel="stylesheet" type="text/css" href="' . _DIR_IMG_PACK
- . 'style_prive_defaut.css" />'
+ . 'style_prive_defaut.css" />' . "\n"
// CSS espace prive : la vrai
. '<link rel="stylesheet" type="text/css" href="'
- . generer_url_public('style_prive', $args) .'" />
-'
+ . generer_url_public('style_prive', $args) .'" />' . "\n"
+
// CSS calendrier
. '<link rel="stylesheet" type="text/css" href="'
. find_in_path('calendrier.css') .'" />' . "\n"
@@ -1596,18 +1596,19 @@ function envoi_link($nom_site_spip, $rubrique="") {
if ($spip_display == 4) return $res . $js;
- $res .= "<link rel='alternate' type='application/rss+xml'
- title=\"".entites_html($nom_site_spip)."\" href='"
+ $nom = entites_html($nom_site_spip);
+
+ $res .= "<link rel='alternate' type='application/rss+xml' title=\"$nom\" href='"
. generer_url_public('backend') . "' />\n";
$res .= "<link rel='help' type='text/html' title=\""._T('icone_aide_ligne') .
"\" href='"
. generer_url_ecrire('aide_index',"var_lang=$spip_lang")
."' />\n";
if ($GLOBALS['meta']["activer_breves"] != "non")
- $res .= "\n<link rel='alternate' type='application/rss+xml' title='"
- . addslashes($nom_site_spip)
+ $res .= "<link rel='alternate' type='application/rss+xml' title=\""
+ . $nom
. " ("._T("info_breves_03")
- . ")' href='" . generer_url_public('backend-breves') . "' />\n";
+ . ")\" href='" . generer_url_public('backend-breves') . "' />\n";
return $res . $js;
}
@@ -2850,9 +2851,9 @@ function fin_page($credits='') {
function debloquer_article($arg, $texte) {
$lien = _DIR_RESTREINT_ABS . parametre_url(self(), 'debloquer_article', $arg, '&');
return "<a href='" . generer_action_auteur('instituer', "collaboration $arg", $lien) .
- "' title='" .
- addslashes($texte) .
- "'>$texte " .
+ "' title=\"" .
+ entites_html($texte) .
+ "\">$texte " .
http_img_pack("croix-rouge.gif", ($arg=='tous' ? "" : "X"),
"width='7' height='7' align='middle'") .
"</a>";
diff --git a/ecrire/inc/rubriques.php b/ecrire/inc/rubriques.php
index 4087cb16c5e7fa5c3b6bf53fbbf2564fc656c7f7..fd13c66d59d4fb5c3ab269270e4f3fbefb2efc75 100644
--- a/ecrire/inc/rubriques.php
+++ b/ecrire/inc/rubriques.php
@@ -57,7 +57,7 @@ function calculer_rubriques() {
GROUP BY rub.id_rubrique");
while ($row = spip_fetch_array($r))
spip_query("UPDATE spip_rubriques
- SET statut_tmp='publie', date_tmp='".$row['date']."'
+ SET statut_tmp='publie', date_tmp='".$row['date_h']."'
WHERE id_rubrique=".$row['id']);
// Publier et dater les rubriques qui ont un site publie
diff --git a/ecrire/inc/session.php b/ecrire/inc/session.php
index ada2e8fb0b1066a70a83d132244d0d73526efc3b..a062bbbdda602fe3251734f5ede4f86cbaeb4fde 100644
--- a/ecrire/inc/session.php
+++ b/ecrire/inc/session.php
@@ -49,18 +49,17 @@ function ajouter_session($auteur, $id_session, $lang='') {
global $connect_id_auteur, $auteur_session;
if ($lang) {
- spip_query("UPDATE spip_auteurs SET lang = '". addslashes($lang) . "' WHERE id_auteur = $connect_id_auteur");
+ spip_query("UPDATE spip_auteurs SET lang = '". addslashes($lang) . "' WHERE id_auteur = $connect_id_auteur");
$auteur_session['lang'] = $lang;
}
renouvelle_alea();
$fichier_session = fichier_session($id_session, $GLOBALS['meta']['alea_ephemere']);
- $vars = array('id_auteur', 'nom', 'login', 'email', 'statut', 'lang', 'ip_change', 'hash_env');
$texte = "<"."?php\n";
- reset($vars);
- while (list(, $var) = each($vars)) {
- $texte .= "\$GLOBALS['auteur_session']['$var'] = '".addslashes($auteur[$var])."';\n";
+ foreach (array('id_auteur', 'nom', 'login', 'email', 'statut', 'lang', 'ip_change', 'hash_env') AS $var) {
+ $code = addslashes($auteur[$var]);
+ $texte .= "\$GLOBALS['auteur_session']['$var'] = '$code';\n";
}
$texte .= "?".">\n";
@@ -70,7 +69,8 @@ function ajouter_session($auteur, $id_session, $lang='') {
function update_prefs_session($prefs, $id_auteur)
{
- spip_query("UPDATE spip_auteurs SET prefs = '".addslashes(serialize($prefs))."' WHERE id_auteur = $id_auteur");
+ $prefs = serialize($prefs);
+ spip_query("UPDATE spip_auteurs SET prefs = '". addslashes($prefs). "' WHERE id_auteur = $id_auteur");
}
//
diff --git a/ecrire/public/balises.php b/ecrire/public/balises.php
index 4edd7214a03a66a6b800b0997e1e595414967e73..331fb724bca91e3111313e4042bbd30f9e045341 100644
--- a/ecrire/public/balises.php
+++ b/ecrire/public/balises.php
@@ -118,7 +118,8 @@ function balise_DATE_NOUVEAUTES_dist($p) {
}
function balise_DOSSIER_SQUELETTE_dist($p) {
- $p->code = "'" . addslashes(dirname($p->descr['sourcefile'])) . "'" ;
+ $code = addslashes(dirname($p->descr['sourcefile']));
+ $p->code = "'$code'" .
$p->interdire_scripts = false;
return $p;
}
@@ -790,14 +791,6 @@ function balise_CHEMIN_dist($p) {
$p->boucles,
$p->id_boucle);
- $args = calculer_liste($p->param[0][2],
- $p->descr,
- $p->boucles,
- $p->id_boucle);
-
- if ($args != "''")
- $p->code .= ','.$args;
-
// autres filtres (???)
array_shift($p->param);
}
@@ -838,7 +831,7 @@ function balise_ENV_dist($p, $src = NULL) {
$p->code = 'serialize('.$src.')';
} else {
// admet deux arguments : nom de variable, valeur par defaut si vide
- $p->code = $src.'["' . addslashes($nom) . '"]';
+ $p->code = $src.'[\'' . addslashes($nom) . '\']';
if ($sinon)
$p->code = 'sinon('.
$p->code
diff --git a/ecrire/public/references.php b/ecrire/public/references.php
index 6e76c207ae9edace24946d066d5dd8446b5c11e4..fb7fb119918c0f32e8badd21cfd722c15fe74c2a 100644
--- a/ecrire/public/references.php
+++ b/ecrire/public/references.php
@@ -209,7 +209,8 @@ function calculer_balise($nom, $p) {
// il faut recracher {...} quand ce n'est finalement pas des args
if ($p->fonctions AND (!$p->fonctions[0][0]) AND $p->fonctions[0][1])
- {$p->code .= " . '" . addslashes($p->fonctions[0][1]) . "'";}
+ { $code = addslashes($p->fonctions[0][1]);
+ $p->code .= " . '$code'";}
// ne pas passer le filtre securite sur les id_xxx
if (strpos($nom, 'ID_') === 0)
$p->interdire_scripts = false;
diff --git a/ecrire/urls/html.php b/ecrire/urls/html.php
index b6efb7342ee7184542c1b0e2bfc38d30e5bc47fc..9d574901907b1de385f395061f4ebae4da62ddc4 100644
--- a/ecrire/urls/html.php
+++ b/ecrire/urls/html.php
@@ -86,11 +86,11 @@ function recuperer_parametres_url($fond, $url) {
if ($url_propre = $GLOBALS['_SERVER']['REDIRECT_url_propre']
OR $url_propre = $GLOBALS['HTTP_ENV_VARS']['url_propre']
AND preg_match(',^(article|breve|rubrique|mot|auteur|site)$,', $fond)) {
- $url_propre = addslashes(preg_replace('/^[_+-]{0,2}(.*?)[_+-]{0,2}(\.html)?$/',
+ $url_propre = (preg_replace('/^[_+-]{0,2}(.*?)[_+-]{0,2}(\.html)?$/',
'$1', $url_propre));
$r = "spip_" . table_objet($fond);
$id = id_table_objet($fond);
- $r = spip_query("SELECT $id AS id FROM $r WHERE url_propre = '$url_propre'");
+ $r = spip_query("SELECT $id AS id FROM $r WHERE url_propre = '" . addslashes($url_propre) ."'");
if ($r AND $r = spip_fetch_array($r))
$contexte[$id] = $r['id'];
}
diff --git a/ecrire/urls/page.php b/ecrire/urls/page.php
index 8ead7fb1a5d30c9722d27d9a71243fe47aacead6..c1e8bbedf690e00589db5ad73044206b803fce11 100644
--- a/ecrire/urls/page.php
+++ b/ecrire/urls/page.php
@@ -94,11 +94,11 @@ function recuperer_parametres_url(&$fond, $url) {
if ($url_propre = $GLOBALS['_SERVER']['REDIRECT_url_propre']
OR $url_propre = $GLOBALS['HTTP_ENV_VARS']['url_propre']
AND preg_match(',^(article|breve|rubrique|mot|auteur|site)$,', $fond)) {
- $url_propre = addslashes(preg_replace('/^[_+-]{0,2}(.*?)[_+-]{0,2}(\.html)?$/',
+ $url_propre = (preg_replace('/^[_+-]{0,2}(.*?)[_+-]{0,2}(\.html)?$/',
'$1', $url_propre));
$r = "spip_" . table_objet($fond);
$id = id_table_objet($fond);
- $r = spip_query("SELECT $id AS id FROM $r WHERE url_propre = '$url_propre'");
+ $r = spip_query("SELECT $id AS id FROM $r WHERE url_propre = '" . addslashes($url_propre) . "'");
if ($r AND $r = spip_fetch_array($r))
$contexte[$id] = $r['id'];
}
diff --git a/ecrire/urls/standard.php b/ecrire/urls/standard.php
index 96e447e0eecb9957cbdd566943aa188bac4526fa..54189f90921252ca6f6f8f59de47a72f2a8235e7 100644
--- a/ecrire/urls/standard.php
+++ b/ecrire/urls/standard.php
@@ -62,11 +62,11 @@ function recuperer_parametres_url(&$fond, $url) {
if ($url_propre = $GLOBALS['_SERVER']['REDIRECT_url_propre']
OR $url_propre = $GLOBALS['HTTP_ENV_VARS']['url_propre']
AND preg_match(',^(article|breve|rubrique|mot|auteur|site)$,', $fond)) {
- $url_propre = addslashes(preg_replace('/^[_+-]{0,2}(.*?)[_+-]{0,2}(\.html)?$/',
+ $url_propre = (preg_replace('/^[_+-]{0,2}(.*?)[_+-]{0,2}(\.html)?$/',
'$1', $url_propre));
$r = "spip_" . table_objet($fond);
$id = id_table_objet($fond);
- $r = spip_query("SELECT $id AS id FROM $r WHERE url_propre = '$url_propre'");
+ $r = spip_query("SELECT $id AS id FROM $r WHERE url_propre = '" . addslashes($url_propre) . "'");
if ($r AND $r = spip_fetch_array($r))
$contexte[$id] = $r['id'];
}