Use addslashes/stripslashes on the expt meta data.

f5028489 · Mac Newbold · b4492a01 · f5028489 · f5028489
Commit f5028489 authored May 29, 2003 by Mac Newbold
--- a/www/showexp.php3
+++ b/www/showexp.php3
@@ -53,7 +53,7 @@ $expstate = TBExptState($exp_pid, $exp_eid);

 echo "<font size=+2>Experiment <b>".
     "<a href='showproject.php3?pid=$pid'>$pid</a>/".
-     "$eid</b></font>\n";
+     "<a href='showexp.php3?pid=$pid&eid=$eid'>$eid</a></b></font>\n";
 echo "<br /><br />\n";
 SUBPAGESTART();

@@ -151,6 +151,9 @@ SUBMENUEND_2B();

 # if we got a submission of changes, update the db now...
 if ($submit) {
+    $exp_name = addslashes(str_replace('"',"",$exp_name));
+    $noswap = addslashes(str_replace('"',"",$noswap));
+    $noidleswap = addslashes(str_replace('"',"",$noidleswap));
    # exp name is always sent...
    $str = "expt_name=\"$exp_name\"";
    if (isset($noswap) && $noswap !="") {

--- a/www/showstuff.php3
+++ b/www/showstuff.php3
@@ -549,6 +549,7 @@ function SHOWEXP($pid, $eid, $edit=0) {

    $exp_gid     = $exprow[gid];
    #$exp_expires = $exprow[expt_expires];
+    $exp_name_safe= htmlspecialchars(stripslashes($exprow[expt_name]));
    $exp_name    = stripslashes($exprow[expt_name]);
    $exp_created = $exprow[expt_created];
    $exp_swapped = $exprow[expt_swapped];
@@ -564,10 +565,14 @@ function SHOWEXP($pid, $eid, $edit=0) {
    $batchstate  = $exprow[batchstate];
    $priority    = $exprow[priority];
    $swappable   = $exprow[swappable];
-    $noswap_reason = $exprow[noswap_reason];
+    $noswap_reason_safe =
+	htmlspecialchars(stripslashes($exprow[noswap_reason]));
+    $noswap_reason = stripslashes($exprow[noswap_reason]);
    $idleswap    = $exprow[idleswap];
    $idleswap_timeout = $exprow[idleswap_timeout];
-    $noidleswap_reason = $exprow[noidleswap_reason];
+    $noidleswap_reason_safe =
+	htmlspecialchars(stripslashes($exprow[noidleswap_reason]));
+    $noidleswap_reason = stripslashes($exprow[noidleswap_reason]);
    $autoswap    = $exprow[autoswap];
    $autoswap_timeout = $exprow[autoswap_timeout];
    $idle_ignore = $exprow[idle_ignore];
@@ -640,7 +645,8 @@ function SHOWEXP($pid, $eid, $edit=0) {
          </tr>\n";

    if ($edit) {
-	$exp_name_str = "<input type=text name=exp_name value=\"$exp_name\">";
+	$exp_name_str =
+	    "<input type=text name=exp_name size=30 value=\"$exp_name_safe\">";
    } else {
 	$exp_name_str = $exp_name;
    }