Merge branch 'develop' into feature/what-about-the-phone

longrunningprocess · web-flow · commit e56c2a9e67ce · 2017-07-03T13:47:07.000-04:00
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -19,6 +19,7 @@ services:
       ADMIN_EMAIL: "admin@example.org"
       SECRET_SALT: "FcJwl0zCDc4nuzOuQL9/7WPIj3hdfusGm2ny0dcRQm0="
       IDP_NAME: "The Hub"
+      ANALYTICS_ID: "UA-XXXX-Y"
   idp1:
     image: silintl/ssp-base:develop
     volumes:
diff --git a/themes/material/common-announcement.php b/themes/material/common-announcement.php
@@ -1,5 +1,5 @@
 <?php
-$announcement = $this->data['announcement'] ?? null;
+$announcement = htmlentities($this->data['announcement'] ?? null);
 
 if (! empty($announcement)) {
 ?>
diff --git a/themes/material/common-head-elements.php b/themes/material/common-head-elements.php
@@ -4,8 +4,7 @@
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
 
 <?php
-$trackingId = $this->configuration->getValue('analytics.trackingId');
-
+$trackingId = htmlentities($this->configuration->getValue('analytics.trackingId'));
 if (! empty($trackingId)) {
 ?>
     <script>
@@ -28,7 +27,7 @@
 
 
 <?php
-$colors = $this->configuration->getValue('theme.color-scheme', 'indigo-purple');
+$colors = htmlentities($this->configuration->getValue('theme.color-scheme', 'indigo-purple'));
 ?>
 <link rel="stylesheet" href="/module.php/material/material.<?= $colors ?>.1.2.1.min.css">
 <link rel="stylesheet" href="/module.php/material/styles.2.2.0.css">
diff --git a/themes/material/core/loginuserpass.php b/themes/material/core/loginuserpass.php
@@ -1,22 +1,12 @@
 <!DOCTYPE html>
-<?php
-    $siteKey = $this->data['recaptcha.siteKey'] ?? null;
-    $username = $this->data['username'] ?? null;
-    $forgotPasswordUrl = $this->data['forgotPasswordUrl'] ?? null;
-    $csrfToken = $this->data['csrfToken'] ?? null;
-    $idpName = $this->configuration->getValue('idp_name', '—');
-
-    $errorCode = $this->data['errorcode'] ?? null;
-    $errorMessageKey = $this->data['errorparams'][1] ?? '{material:login:error_wronguserpass}';
-    $errorMessageTokens = $this->data['errorparams'][2] ?? [];
-?>
 <html>
 <head>
     <title><?= $this->t('{material:login:title}') ?></title>
 
     <?php include __DIR__ . '/../common-head-elements.php' ?>
 
     <?php
+    $siteKey = htmlentities($this->data['recaptcha.siteKey'] ?? null);
     if (! empty($siteKey)) {
     ?>
     <script src='https://www.google.com/recaptcha/api.js?onload=onRecaptchaLoad&render=explicit'
@@ -31,7 +21,7 @@ function onRecaptchaLoad() {
             var loginButton = document.querySelector('button');
 
             grecaptcha.render(loginButton, {
-                sitekey: '<?= htmlentities($siteKey) ?>',
+                sitekey: '<?= $siteKey ?>',
                 callback: submitForm
             });
         }
@@ -47,12 +37,19 @@ function onRecaptchaLoad() {
     <main class="mdl-layout__content" layout-children="column" child-spacing="center">
         <?php include __DIR__ . '/../common-announcement.php' ?>
 
+
         <form method="POST" action="<?= htmlentities($_SERVER['PHP_SELF']) ?>">
             <input type="hidden" name="AuthState"
-                   value="<?= htmlspecialchars($this->data['stateparams']['AuthState']) ?>" />
-            <input type="hidden" name="csrf-token" value="<?= htmlentities($csrfToken); ?>" />
+                   value="<?= htmlentities($this->data['stateparams']['AuthState']  ?? null) ?>" />
+            <?php
+            $csrfToken = htmlentities($this->data['csrfToken'] ?? null);
+            ?>
+            <input type="hidden" name="csrf-token" value="<?= $csrfToken ?>" />
 
             <div class="mdl-card mdl-shadow--8dp fill-phone-viewport">
+                <?php
+                $idpName = htmlentities($this->configuration->getValue('idp_name', '—'));
+                ?>
                 <div class="mdl-card__media white-bg margin" layout-children="column">
                     <img src="/logo.png"
                          alt="<?= $this->t('{material:login:logo}', ['{idpName}' => $idpName]) ?>">
@@ -69,8 +66,11 @@ function onRecaptchaLoad() {
                         <label for="username" class="mdl-textfield__label">
                             <?= $this->t('{material:login:label_username}') ?>
                         </label>
+                        <?php
+                        $username = htmlentities($this->data['username'] ?? null);
+                        ?>
                         <input type="text" name="username" class="mdl-textfield__input"
-                               value="<?= htmlspecialchars($username) ?>"
+                               value="<?= $username ?>"
                                <?= empty($username) ? 'autofocus' : '' ?> id="username"/>
                     </div>
 
@@ -84,8 +84,12 @@ function onRecaptchaLoad() {
                 </div>
 
                 <?php
+                $errorCode = htmlentities($this->data['errorcode']);
                 if ($errorCode == 'WRONGUSERPASS') {
-                    $message = $this->t($errorMessageKey, $errorMessageTokens);
+                    $errorMessageKey = $this->data['errorparams'][1] ?? '{material:login:error_wronguserpass}';
+                    $errorMessageTokens = $this->data['errorparams'][2] ?? null;
+
+                    $message = htmlentities($this->t($errorMessageKey, $errorMessageTokens));
                 ?>
                 <p class="mdl-color-text--red error">
                     <i class="material-icons">error</i>
@@ -104,9 +108,10 @@ function onRecaptchaLoad() {
 
                 <div class="mdl-card__actions" layout-children="row">
                     <?php
+                    $forgotPasswordUrl = htmlentities($this->data['forgotPasswordUrl'] ?? null);
                     if (! empty($forgotPasswordUrl)) {
                     ?>
-                    <a href="<?= htmlentities($forgotPasswordUrl) ?>" target="_blank"
+                    <a href="<?= $forgotPasswordUrl ?>" target="_blank"
                        class="mdl-button mdl-button--colored mdl-typography--caption">
                         <?= $this->t('{material:login:forgot}') ?>
                     </a>
diff --git a/themes/material/default/error.php b/themes/material/default/error.php
@@ -21,14 +21,14 @@
         </p>
 
         <?php
-        if ($this->data['showerrors']) {
+        if ($this->data['showerrors'] ?? false) {
         ?>
         <p class="mdl-typography--body-2">
-            <?= htmlspecialchars($this->data['error']['exceptionMsg']) ?>
+            <?= htmlentities($this->data['error']['exceptionMsg'] ?? null) ?>
         </p>
 
         <pre class="mdl-typography--caption">
-            <?= htmlspecialchars($this->data['error']['exceptionTrace']) ?>
+            <?= htmlentities($this->data['error']['exceptionTrace'] ?? null) ?>
         </pre>
         <?php
         }
diff --git a/themes/material/default/selectidp-links.php b/themes/material/default/selectidp-links.php
@@ -40,11 +40,11 @@ function clickedAnyway(idpName) {
         <form action="<?= htmlentities($_SERVER['PHP_SELF']) ?>"
               layout-children="row" child-spacing="space-around">
             <input type="hidden" name="entityID"
-                   value="<?= htmlspecialchars($this->data['entityID']) ?>" />
+                   value="<?= htmlentities($this->data['entityID'] ?? null) ?>" />
             <input type="hidden" name="return"
-                   value="<?= htmlspecialchars($this->data['return']) ?>" />
+                   value="<?= htmlentities($this->data['return'] ?? null) ?>" />
             <input type="hidden" name="returnIDParam"
-                   value="<?= htmlspecialchars($this->data['returnIDParam']) ?>" />
+                   value="<?= htmlentities($this->data['returnIDParam'] ?? null) ?>" />
 
             <?php
             // in order to bypass some built-in simplesaml behavior, an extra idp
@@ -59,8 +59,8 @@ function clickedAnyway(idpName) {
             }
 
             foreach ($enabledIdps as $idp) {
-                $name = htmlspecialchars($this->t($idp['name']));
-                $idpId = htmlspecialchars($idp['entityid']);
+                $name = htmlentities($this->t($idp['name'] ?? null));
+                $idpId = htmlentities($idp['entityid'] ?? null);
                 $hoverText = $this->t('{material:selectidp:enabled}', ['{idpName}' => $name]);
             ?>
             <div class="mdl-card mdl-shadow--8dp row-aware" title="<?= $hoverText ?>">
@@ -78,8 +78,8 @@ function clickedAnyway(idpName) {
 
             <?php
             foreach ($disabledIdps as $idp) {
-                $name = htmlspecialchars($this->t($idp['name']));
-                $idpId = htmlspecialchars($idp['entityid']);
+                $name = htmlentities($this->t($idp['name'] ?? null));
+                $idpId = htmlentities($idp['entityid'] ?? null);
                 $hoverText = $this->t('{material:selectidp:disabled}', ['{idpName}' => $name]);
             ?>
             <div class="mdl-card mdl-shadow--2dp disabled row-aware" title="<?= $hoverText ?>"
