Improved protection from mass bot registrations.

[timetracker.git] / WEB-INF / lib / ttGroupExportHelper.class.php

diff --git a/WEB-INF/lib/ttGroupExportHelper.class.php b/WEB-INF/lib/ttGroupExportHelper.class.php
index f2290fb..8a7b7e7 100644 (file)
--- a/WEB-INF/lib/ttGroupExportHelper.class.php
+++ b/WEB-INF/lib/ttGroupExportHelper.class.php
@@ -123,7 +123,8 @@ class ttGroupExportHelper {
 
     // Write group info.
     $group = $this->getGroupAttrs();
-    $group_part = "<group name=\"".htmlspecialchars($group['name'])."\"";
+    $group_part = "<group group_key=\"".htmlspecialchars($group['group_key'])."\"";
+    $group_part .= " name=\"".htmlspecialchars($group['name'])."\"";
     $group_part .= " description=\"".htmlspecialchars($group['description'])."\"";
     $group_part .= " currency=\"".htmlspecialchars($group['currency'])."\"";
     $group_part .= " decimal_mark=\"".$group['decimal_mark']."\"";
@@ -387,7 +388,7 @@ class ttGroupExportHelper {
         $log_part .= " task_id=\"".$this->taskMap[$record['task_id']]."\"";
         $log_part .= " timesheet_id=\"".$this->timesheetMap[$record['timesheet_id']]."\"";
         $log_part .= " invoice_id=\"".$this->invoiceMap[$record['invoice_id']]."\"";
-        $log_part .= " comment=\"".htmlspecialchars($record['comment'])."\"";
+        $log_part .= " comment=\"".$this->encodeLineBreaks($record['comment'])."\"";
         $log_part .= " billable=\"".$record['billable']."\"";
         $log_part .= " approved=\"".$record['approved']."\"";
         $log_part .= " paid=\"".$record['paid']."\"";
@@ -459,7 +460,7 @@ class ttGroupExportHelper {
         $expense_item_part .= " user_id=\"".$this->userMap[$expense_item['user_id']]."\"";
         $expense_item_part .= " client_id=\"".$this->clientMap[$expense_item['client_id']]."\"";
         $expense_item_part .= " project_id=\"".$this->projectMap[$expense_item['project_id']]."\"";
-        $expense_item_part .= " name=\"".htmlspecialchars($expense_item['name'])."\"";
+        $expense_item_part .= " name=\"".$this->encodeLineBreaks($expense_item['name'])."\"";
         $expense_item_part .= " cost=\"".$expense_item['cost']."\"";
         $expense_item_part .= " invoice_id=\"".$this->invoiceMap[$expense_item['invoice_id']]."\"";
         $expense_item_part .= " approved=\"".$expense_item['approved']."\"";
@@ -495,7 +496,7 @@ class ttGroupExportHelper {
       foreach ($templates as $template) {
         $template_part = $this->indentation.'    '."<template name=\"".htmlspecialchars($template['name'])."\"";
         $template_part .= " description=\"".htmlspecialchars($template['description'])."\"";
-        $template_part .= " content=\"".htmlspecialchars($template['content'])."\"";
+        $template_part .= " content=\"".$this->encodeLineBreaks($template['content'])."\"";
         $template_part .= " status=\"".$template['status']."\"";
         $template_part .= "></template>\n";
         fwrite($this->file, $template_part);
@@ -634,4 +635,18 @@ class ttGroupExportHelper {
 
     fwrite($this->file, $this->indentation."</group>\n");
   }
+
+  // encodeLineBreaks encodes line breaks with an escape sequence.
+  // We do this, because our strings are attribute values inside XML tags.
+  //
+  // If we don't, we lose line breaks after importing data because
+  // XML parser converts line breaks into a single white character.
+  //
+  // TODO: investigate whether we need to encode \t, etc.
+  private function encodeLineBreaks($source) {
+    $result = htmlspecialchars($source);
+    $result = str_replace ("\n", '&#10;', $result);
+    $result = str_replace ("\r", '&#13;', $result);
+    return $result;
+  }
 }