[#6736] Error message from unescaped $string in language file

Created By: Deleted User (deleteduser_11200)
Date Submitted: Thu Aug 04 05:22:21 -0400 2011

Assigned To:
Version: None
CMSMS Version:
Severity: Minor
Resolution: None
State: Open
Error message from unescaped $string in language file
Detailed Description:
Your language file: modules/youtubeplayer/lang/en_US.php contains a veriable
which is not escaped.

It is not a show stopper but error logs are written everytime the youtubeplayer
module is called:

PHP Notice:  Undefined variable: userids in
/home/shared/web/knbf/public/modules/youtubeplayer/lang/en_US.php on line 276
PHP Notice:  Undefined variable: userids in
/home/shared/web/knbf/public/modules/youtubeplayer/lang/en_US.php on line 287


{assign var=userids
value=$gCms->modules.FrontEndUsers.object->LoggedinId()}<br />
{assign var=username
value=$gCms->modules.FrontEndUsers.object->GetUserName($userids)}<br />
                    {cms_module module=FrontEndUsers}<br />
                    {if $userids!=''}
{cms_module module=\"youtubeplayer\"
action=\"frontend_edit\" what=\"videos\"}<br />


{assign var=userids
value=$gCms->modules.FrontEndUsers.object->LoggedinId()}<br />
{assign var=username
value=$gCms->modules.FrontEndUsers.object->GetUserName(\$userids)}<br />
                    {cms_module module=FrontEndUsers}<br />
                    {if \$userids!=''}
{cms_module module=\"youtubeplayer\"
action=\"frontend_edit\" what=\"videos\"}<br />


Date: 2012-07-03 07:52
Posted By: Tann San (Tann San)

Hi, this bug is still present in the latest version CMS 1.10.3 youtubeplayer
1.3.1.  I took the advice from this page
( and removed the
error which got rid of the PHP notice.  Here is the bit I altered:

$lang["help"] = '<h3>What Does This Do?</h3>
<p>This module manages and displays an item catalogue of youtube videos.</p>
			<br/><h3>How Do I Use It?</h3>
<p>Make sure your users have the appropriate permissions. If you are not
using the access restriction option (see settings), the "youtubeplayer: Normal
user" permission will be enough to use the module. In the settings tab, you can
choose which tabs will be displayed for the normal user. Only the administrator
and users with the "youtubeplayer: Advanced" permission will have access to
settings tab.<br/>
If you wish to define level-specific permissions, activate the access
restriction option in the settings tab and give the "youtubeplayer: Manage
name_of_level" permission to the appropriate users.</p>
					<p>To call the module, simply use the following tag:<br/>
					{cms_module module="youtubeplayer"}</p>
<p>In this case the list of the last level elements (videos) will be
displayed. To select a level, use the "what" parameter:<br/>
					{cms_module module="youtubeplayer" what="videos"}<br/>
<i>The possible values for the "what" parameter are : category,
					<p>You may also ask for elements who belong to a specific parent:<br/>
					{cms_module module="youtubeplayer" parent="alias_of_parent"}</p>
					<p>You may finally ask for a specific element:<br>
					{cms_module module="youtubeplayer" alias="alias_of_item"}</p>
				<br/><h4>Separating into pages</h4>
					<p>You may limit the number of items to be shown on one page:<br/>
					{cms_module module="youtubeplayer" nbperpage="5"}<br/>
					The page menu should then be shown with the {$pagemenu} tag.</p>
				<br/><h4>Using queries</h4>
<p>To get a list of item that meet specific criteria, you can create a
query using the queries tab of the admin panel, and call them using the "query"
					{cms_module module="youtubeplayer" query="5"}</p>
<p><i>If the option to allow manuel sql queries is enabled</i> (see
"Settings" tab), you may also provide the sql query directly with the query
parameter. For example:<br/>
{cms_module module="youtubeplayer" what="videos" query="A.date_modified >
\'2009-03-15\' AND = 1"}<br/>
The query parameter can only hold the WHERE clause of the query, and should
not include the WHERE command itself. To avoid problems, the prefix "A." should
be used before field names (where applicable, the "B." prefix can be used to
specify criteria on the parent\'s fields).<br/>
Although the abstraction layer is not easily prone to injections, remember
that activating this option means giving a sql opening within the templates and
be careful.</p>
				<br/><h4>The link action</h4>
<p>You may use the action <b>"link"</b> to create a link to the default
action, using the same parameters:<br/>
{cms_module module="youtubeplayer" action="link" what="videos"
					would create a link to a random element of this level.</p>
				<br/><h4>The sitemap action</h4>
<p>If your module is not sharing children, you may use the action
<b>"sitemap"</b> to create a module sitemap:<br/>
					{cms_module module="youtubeplayer" action="sitemap"}<br/>
You can select the levels using the "what" parameter, and may select more
than one using "|" : what="level1|level2".<br/>
Other available parameters for this action are "detailpage" and
To create a google sitemap, see the <a
href="../modules/youtubeplayer/doc/faq.html#q16" target="_blank">FAQ</a>.</p>
				<br/><h4>The frontend edit action</h4>
<p>A form for the frontend editing for anyone (without logging in) of
elements can be called using:<br/>
{cms_module module="youtubeplayer" action="frontend_edit"
This tag would show an empty form, and create a new element of the level
"videos". In order to edit an existing element, you simply have to specify the
{cms_module module="youtubeplayer" action="frontend_edit" what="videos"
<p>If you wish to display a link to the edition of an item, use the "link"
{cms_module module="youtubeplayer" action="link" toaction="frontend_edit"
what="videos" alias="item_alias"}<br/>
					You could, for example, do this in a list template...</p>
					<p>(See the settings tab for options about the frontend_edit feature)<br/>
It is recommanded that the frontend edit feature be used with the Front End
Users module for permissions management. See <a
href="../modules/youtubeplayer/doc/faq.html#q20" target="_blank">FAQ</a> for
more detailed information on how to do this.<br />
					A quick start code example would be: <br /><br />
Place the below code in a page with  WYSIWYG turned off:<p
{assign var=userids
value=$gCms->modules.FrontEndUsers.object->LoggedinId()}<br />
{assign var=username
value=$gCms->modules.FrontEndUsers.object->GetUserName($userids)}<br />
					{cms_module module=FrontEndUsers}<br />
					{if $userids!=\'\'}
{cms_module module="youtubeplayer" action="frontend_edit" what="videos"}<br
					<br/><h4>The search action</h4>
					<p>You may use the action <b>"search"</b> to display a search form:<br/>
					{cms_module module="youtubeplayer" action="search"}<br/>
Use the "searchmode" parameter to switch between advanced (default) and
simple mode. You may specify the level in which to search using the "what"
parameter. You cannot use the advanced search mode in all levels at the same
The following parameters can be used with the search action: what, limit,
nbperpage, orderby, detailpage, listtemplate, inline, searchmode.<br/>
					See youtubeplayer/templates/search.tpl to modify the search form.</p><br/>
<p>For more help, you may take a look at the <a
href="../modules/youtubeplayer/doc/faq.html" target="_blank">FAQ</a>.</p>
			<br/><h3>Copyright and License</h3>
<p>This module has has no support, it is released under the GNU Public
License.use at your own risk</p><br/><br/>';