Merge branch 'develop'

Indicia-Team · Jul 21, 2017 · 4d9f455 · 4d9f455
2 parents be1f138 + f45a17c
commit 4d9f455
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 4 deletions.
diff --git a/helper_base.php b/helper_base.php
@@ -1984,7 +1984,8 @@ protected static function get_help_text($options, $pos) {
   }
 
   /**
-   * Takes a template string (e.g. <div id="{id}">) and replaces the tokens with the equivalent values looked up from the $options array.
+   * Takes a template string (e.g. <div id="{id}">) and replaces the tokens with the equivalent values looked up from 
+   * the $options array. Tokens suffixed |escape have HTML escaping applied, e.g. <div id="{id}">{value|escape}</div>
    * @param string $template The templatable string.
    * @param string $options The array of items which can be merged into the template.
    */
@@ -1996,6 +1997,8 @@ protected static function apply_replacements_to_template($template, $options) {
       if (!is_array($options[$option]) && !is_object($options[$option])) {
         array_push($replaceTags, '{'.$option.'}');
         array_push($replaceValues, $options[$option]);
+        array_push($replaceTags, '{'.$option.'|escape}');
+        array_push($replaceValues, htmlspecialchars($options[$option]));
       }
     }
     return str_replace($replaceTags, $replaceValues, $template);

diff --git a/prebuilt_forms/includes/report_filters.php b/prebuilt_forms/includes/report_filters.php
@@ -506,6 +506,7 @@ public function get_controls() {
         'V1' => lang::get('Accepted as correct records only'),
         'V' => lang::get('Accepted records only'),
         '-3' => lang::get('Reviewer agreed at least plausible'),
+        'C3' => lang::get('Plausible records only'),
         'C' => lang::get('Recorder was certain'),
         'L' => lang::get('Recorder thought the record was at least likely'),
         'P' => lang::get('Not reviewed'),

diff --git a/prebuilt_forms/record_details_2.php b/prebuilt_forms/record_details_2.php
@@ -248,7 +248,7 @@ protected static function get_control_recorddetails($auth, $args, $tabalias, $op
     $fields=helper_base::explode_lines($args['fields']);
     $fieldsLower=helper_base::explode_lines(strtolower($args['fields']));
     //Draw the Record Details, but only if they aren't requested as hidden by the administrator
-    $attrsTemplate='<div class="field ui-helper-clearfix"><span>{caption}:</span>{anchorfrom}<span{class}>{value}</span>{anchorto}</div>';
+    $attrsTemplate='<div class="field ui-helper-clearfix"><span>{caption}:</span>{anchorfrom}<span{class}>{value|escape}</span>{anchorto}</div>';
     $test=$args['operator']==='in';
     $availableFields = array(
       'sensitive'=>'Sensitive',
@@ -302,8 +302,8 @@ protected static function get_control_recorddetails($auth, $args, $tabalias, $op
         if ($field === 'preferred_taxon' && !empty(self::$record['preferred_authority']))
           $value = "$value " . self::$record['preferred_authority'];
         $details_report .= str_replace(
-          array('{caption}', '{value}', '{class}', '{anchorfrom}', '{anchorto}'),
-          array(lang::get($caption), $value, $class, $anchorfrom, $anchorto),
+          array('{caption}', '{value|escape}', '{class}', '{anchorfrom}', '{anchorto}'),
+          array(lang::get($caption), htmlspecialchars($value), $class, $anchorfrom, $anchorto),
           $attrsTemplate
         );
       }