friendica/view/templates/babel.tpl
Hypolite Petovan 5c5d7eb04f
Fix several vulnerabilities (#13927)
* Escape HTML in the location field of a calendar event post

- This allowed script tags to be interpreted in the post display of an event.

* Add form security token check to /admin/phpinfo module

- This prevents basic XSS attacks against /admin/phpinfo

* Add form security token check to /babel module

- This prevents basic XSS attacks against /babel

* Prevent pass-through for attachments

- This addresses a straightforward Reflected XSS vulnerability if a malicious HTML/Javascript file is attached to a post through upload

* Prevent overwriting cid on event edit

- This allowed to share an event as any other user after zeroing the cid field of an existing event
2024-02-22 06:53:52 +01:00

35 lines
1.1 KiB
Smarty

<div id="babel" class="generic-page-wrapper">
<h2>{{$title}}</h2>
<form action="babel" method="post" class="panel panel-default">
<input type="hidden" name="form_security_token" value="{{$form_security_token}}">
<div class="panel-body">
<div class="form-group">
{{include file="field_textarea.tpl" field=$text}}
</div>
<div class="form-group">
{{include file="field_radio.tpl" field=$type_bbcode}}
{{include file="field_radio.tpl" field=$type_diaspora}}
{{include file="field_radio.tpl" field=$type_markdown}}
{{include file="field_radio.tpl" field=$type_html}}
{{if $flag_twitter}}
{{include file="field_radio.tpl" field=$type_twitter}}
{{/if}}
</div>
<p><button type="submit" class="btn btn-primary">{{$submit}}</button></p>
</div>
</form>
{{if $results}}
<div class="babel-results">
{{foreach $results as $result}}
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title">{{$result.title}}</h3>
</div>
<div class="panel-body">{{$result.content nofilter}}</div>
</div>
{{/foreach}}
</div>
</div>
{{/if}}