From 4f9f86e310a433d56622527be002ba2a474c5240 Mon Sep 17 00:00:00 2001
From: Michael
Date: Sun, 25 Nov 2018 18:56:26 +0000
Subject: [PATCH] We are now escaping many template fields
---
src/Module/Contact.php | 10 +--
src/Object/Post.php | 6 +-
view/templates/admin/addon_details.tpl | 2 +-
view/templates/admin/contactblock.tpl | 4 +-
view/templates/admin/users.tpl | 16 ++--
view/templates/hovercard.tpl | 14 ++--
view/templates/profile_vcard.tpl | 6 +-
view/templates/vcard-widget.tpl | 10 +--
view/templates/wall_thread.tpl | 8 +-
view/templates/widget_forumlist.tpl | 8 +-
.../duepuntozero/templates/profile_vcard.tpl | 4 +-
view/theme/frio/templates/admin/addons.tpl | 2 +-
.../frio/templates/admin/contactblock.tpl | 8 +-
view/theme/frio/templates/admin/queue.tpl | 12 +--
view/theme/frio/templates/admin/summary.tpl | 6 +-
view/theme/frio/templates/admin/users.tpl | 24 +++---
view/theme/frio/templates/comment_item.tpl | 14 ++--
view/theme/frio/templates/common_tabs.tpl | 6 +-
view/theme/frio/templates/contact_edit.tpl | 76 ++++++++---------
.../theme/frio/templates/contact_template.tpl | 40 ++++-----
view/theme/frio/templates/credits.tpl | 4 +-
view/theme/frio/templates/crepair.tpl | 2 +-
view/theme/frio/templates/event.tpl | 10 +--
.../frio/templates/event_stream_item.tpl | 8 +-
view/theme/frio/templates/events_js.tpl | 8 +-
view/theme/frio/templates/filebrowser.tpl | 10 +--
view/theme/frio/templates/intros.tpl | 4 +-
view/theme/frio/templates/jot.tpl | 2 +-
view/theme/frio/templates/like_noshare.tpl | 2 +-
view/theme/frio/templates/mail_conv.tpl | 4 +-
view/theme/frio/templates/mail_list.tpl | 2 +-
view/theme/frio/templates/nav.tpl | 84 +++++++++----------
view/theme/frio/templates/photo_item.tpl | 2 +-
view/theme/frio/templates/photo_top.tpl | 2 +-
view/theme/frio/templates/photo_view.tpl | 4 +-
view/theme/frio/templates/profile_entry.tpl | 2 +-
view/theme/frio/templates/profile_vcard.tpl | 46 +++++-----
view/theme/frio/templates/search_item.tpl | 64 +++++++-------
view/theme/frio/templates/vcard-widget.tpl | 10 +--
view/theme/frio/templates/wall_thread.tpl | 76 ++++++++---------
.../quattro/templates/contact_template.tpl | 8 +-
view/theme/quattro/templates/events.tpl | 6 +-
view/theme/quattro/templates/mail_conv.tpl | 18 ++--
.../theme/quattro/templates/profile_vcard.tpl | 8 +-
view/theme/quattro/templates/search_item.tpl | 34 ++++----
.../theme/quattro/templates/wall_item_tag.tpl | 8 +-
view/theme/quattro/templates/wall_thread.tpl | 10 +--
.../quattro/templates/widget_forumlist.tpl | 4 +-
view/theme/vier/templates/ch_connectors.tpl | 2 +-
.../vier/templates/ch_directory_item.tpl | 2 +-
view/theme/vier/templates/comment_item.tpl | 16 ++--
.../theme/vier/templates/contact_template.tpl | 6 +-
view/theme/vier/templates/nav.tpl | 48 +++++------
view/theme/vier/templates/photo_item.tpl | 30 +++----
view/theme/vier/templates/photo_view.tpl | 4 +-
view/theme/vier/templates/profile_vcard.tpl | 6 +-
view/theme/vier/templates/search_item.tpl | 36 ++++----
view/theme/vier/templates/wall_item_tag.tpl | 8 +-
view/theme/vier/templates/wall_thread.tpl | 60 ++++++-------
.../vier/templates/widget_forumlist_right.tpl | 12 +--
60 files changed, 472 insertions(+), 476 deletions(-)
diff --git a/src/Module/Contact.php b/src/Module/Contact.php
index ec7e89692..66e8c97fd 100644
--- a/src/Module/Contact.php
+++ b/src/Module/Contact.php
@@ -85,7 +85,7 @@ class Contact extends BaseModule
/// @TODO Add nice spaces
$vcard_widget = Renderer::replaceMacros(Renderer::getMarkupTemplate('vcard-widget.tpl'), [
- '$name' => htmlentities($contact['name']),
+ '$name' => $contact['name'],
'$photo' => $contact['photo'],
'$url' => Model\Contact::MagicLink($contact['url']),
'$addr' => defaults($contact, 'addr', ''),
@@ -639,7 +639,7 @@ class Contact extends BaseModule
'$ffi_keyword_blacklist' => $contact['ffi_keyword_blacklist'],
'$ffi_keyword_blacklist' => ['ffi_keyword_blacklist', L10n::t('Blacklisted keywords'), $contact['ffi_keyword_blacklist'], L10n::t('Comma separated list of keywords that should not be converted to hashtags, when "Fetch information and keywords" is selected')],
'$photo' => $contact['photo'],
- '$name' => htmlentities($contact['name']),
+ '$name' => $contact['name'],
'$dir_icon' => $dir_icon,
'$sparkle' => $sparkle,
'$url' => $url,
@@ -1033,14 +1033,14 @@ class Contact extends BaseModule
'alt_text' => $alt_text,
'dir_icon' => $dir_icon,
'thumb' => ProxyUtils::proxifyUrl($rr['thumb'], false, ProxyUtils::SIZE_THUMB),
- 'name' => htmlentities($rr['name']),
- 'username' => htmlentities($rr['name']),
+ 'name' => $rr['name'],
+ 'username' => $rr['name'],
'account_type' => Model\Contact::getAccountType($rr),
'sparkle' => $sparkle,
'itemurl' => defaults($rr, 'addr', $rr['url']),
'url' => $url,
'network' => ContactSelector::networkToName($rr['network'], $rr['url']),
- 'nick' => htmlentities($rr['nick']),
+ 'nick' => $rr['nick'],
];
}
diff --git a/src/Object/Post.php b/src/Object/Post.php
index e7a9e6b02..50d903f02 100644
--- a/src/Object/Post.php
+++ b/src/Object/Post.php
@@ -213,7 +213,7 @@ class Post extends BaseObject
$filer = (($conv->getProfileOwner() == local_user() && ($item['uid'] != 0)) ? L10n::t("save to folder") : false);
- $profile_name = htmlentities($item['author-name']);
+ $profile_name = $item['author-name'];
if (!empty($item['author-link']) && empty($item['author-name'])) {
$profile_name = $item['author-link'];
}
@@ -377,7 +377,7 @@ class Post extends BaseObject
'isevent' => $isevent,
'attend' => $attend,
'linktitle' => L10n::t('View %s\'s profile @ %s', $profile_name, $item['author-link']),
- 'olinktitle' => L10n::t('View %s\'s profile @ %s', htmlentities($this->getOwnerName()), $item['owner-link']),
+ 'olinktitle' => L10n::t('View %s\'s profile @ %s', $this->getOwnerName(), $item['owner-link']),
'to' => L10n::t('to'),
'via' => L10n::t('via'),
'wall' => L10n::t('Wall-to-Wall'),
@@ -399,7 +399,7 @@ class Post extends BaseObject
'shiny' => $shiny,
'owner_url' => $this->getOwnerUrl(),
'owner_photo' => $a->removeBaseURL(ProxyUtils::proxifyUrl($item['owner-avatar'], false, ProxyUtils::SIZE_THUMB)),
- 'owner_name' => htmlentities($owner_name_e),
+ 'owner_name' => $owner_name_e,
'plink' => Item::getPlink($item),
'edpost' => $edpost,
'isstarred' => $isstarred,
diff --git a/view/templates/admin/addon_details.tpl b/view/templates/admin/addon_details.tpl
index fb908b705..96b26d2d0 100644
--- a/view/templates/admin/addon_details.tpl
+++ b/view/templates/admin/addon_details.tpl
@@ -18,7 +18,7 @@
{{if $screenshot}}
-
+
{{/if}}
{{if $admin_form}}
diff --git a/view/templates/admin/contactblock.tpl b/view/templates/admin/contactblock.tpl
index 152550f01..c9bfc2efd 100644
--- a/view/templates/admin/contactblock.tpl
+++ b/view/templates/admin/contactblock.tpl
@@ -32,10 +32,10 @@
{{foreach $contacts as $contact}}
-
+
{{$contact.name}}
{{$contact.addr}}
- {{$contact.url}}
+ {{$contact.url}}
{{/foreach}}
diff --git a/view/templates/admin/users.tpl b/view/templates/admin/users.tpl
index b2b0d615a..f06b0f973 100644
--- a/view/templates/admin/users.tpl
+++ b/view/templates/admin/users.tpl
@@ -35,8 +35,8 @@
{{$u.email}}
-
-
+
+
@@ -79,8 +79,8 @@
{{foreach $users as $u}}
-
- {{$u.name}}
+
+ {{$u.name}}
{{$u.email}}
{{$u.register_date}}
{{$u.login_date}}
@@ -94,8 +94,8 @@
{{/if}}
{{if $u.is_deletable}}
-
-
+
+
{{else}}
{{/if}}
@@ -122,8 +122,8 @@
{{foreach $deleted as $u}}
-
- {{$u.name}}
+
+ {{$u.name}}
{{$u.email}}
{{$u.register_date}}
{{$u.login_date}}
diff --git a/view/templates/hovercard.tpl b/view/templates/hovercard.tpl
index 7bf37e74b..74f270005 100644
--- a/view/templates/hovercard.tpl
+++ b/view/templates/hovercard.tpl
@@ -3,12 +3,12 @@
{{/foreach}}
@@ -78,7 +78,7 @@
{{* Checkbox to select all blocked contacts *}}
-
+
diff --git a/view/theme/frio/templates/admin/queue.tpl b/view/theme/frio/templates/admin/queue.tpl
index dde386399..3ebe89052 100644
--- a/view/theme/frio/templates/admin/queue.tpl
+++ b/view/theme/frio/templates/admin/queue.tpl
@@ -13,12 +13,12 @@
{{foreach $entries as $e}}
- {{$e.id}}
- {{$e.name}}
- {{$e.nurl}}
- {{$e.network}}
- {{$e.created}}
- {{$e.last}}
+ {{$e.id|escape}}
+ {{$e.name|escape}}
+ {{$e.nurl|escape}}
+ {{$e.network|escape}}
+ {{$e.created|escape}}
+ {{$e.last|escape}}
{{/foreach}}
diff --git a/view/theme/frio/templates/admin/summary.tpl b/view/theme/frio/templates/admin/summary.tpl
index 66afda721..c2bbf49a7 100644
--- a/view/theme/frio/templates/admin/summary.tpl
+++ b/view/theme/frio/templates/admin/summary.tpl
@@ -54,14 +54,14 @@
{{* The Friendica version. *}}
-
{{$version.0}}
-
{{$platform}} '{{$codename}}' {{$version.1}} - {{$build}}
+
{{$version.0|escape}}
+
{{$platform}} '{{$codename|escape}}' {{$version.1|escape}} - {{$build|escape}}
{{* Server Settings. *}}
-
{{$serversettings.label}}
+
{{$serversettings.label|escape}}
diff --git a/view/theme/frio/templates/admin/users.tpl b/view/theme/frio/templates/admin/users.tpl
index 92ef9be6f..031ffd0a4 100644
--- a/view/theme/frio/templates/admin/users.tpl
+++ b/view/theme/frio/templates/admin/users.tpl
@@ -46,11 +46,11 @@
{{$u.created}}
- {{$u.name}}
+ {{$u.name|escape}}
{{$u.email}}
-
-
+
+
{{if $u.note}}
@@ -145,8 +145,8 @@
{{/if}}
-
- {{$u.name}}
+
+ {{$u.name|escape}}
{{$u.email}}
{{if $order_users == $th_users.2.1}}
{{$u.register_date}}
@@ -169,18 +169,18 @@
{{if $u.page_flags_raw==3}}fa-heart{{/if}} {{* PAGE_FREELOVE *}}
{{if $u.page_flags_raw==4}}fa-rss{{/if}} {{* PAGE_BLOG *}}
{{if $u.page_flags_raw==5}}fa-user-secret{{/if}} {{* PAGE_PRVGROUP *}}
- " title="{{$u.page_flags}}">
+ " title="{{$u.page_flags|escape}}">
{{if $u.page_flags_raw==0 && $u.account_type_raw > 0}}
{{/if}}
- {{if $u.is_admin}} {{/if}}
- {{if $u.account_expired}} {{/if}}
+ {{if $u.is_admin}} {{/if}}
+ {{if $u.account_expired}} {{/if}}
{{/if}}
@@ -229,7 +229,7 @@
{{/if}}
-
+
{{else}}
@@ -297,8 +297,8 @@
{{foreach $deleted as $u}}
-
- {{$u.name}}
+
+ {{$u.name|escape}}
{{$u.email}}
{{$u.deleted}}
diff --git a/view/theme/frio/templates/comment_item.tpl b/view/theme/frio/templates/comment_item.tpl
index 4ef5f2caa..804d07ac0 100644
--- a/view/theme/frio/templates/comment_item.tpl
+++ b/view/theme/frio/templates/comment_item.tpl
@@ -33,37 +33,37 @@
{{/if}}
{{foreach $tabs as $tab}} -- {{$tab.label}}
+ - {{$tab.label}}
{{/foreach}}
{{foreach $tabs as $tab}} {{if $tab.sel}} -- {{$tab.label}}
+ - {{$tab.label}}
{{else}}
{{$exttabs[]=$tab}}
{{/if}}
@@ -50,7 +50,7 @@
- {{if $header}}
@@ -19,15 +19,15 @@
- {{$contact_status}}
+ {{$contact_status|escape}}
{{* Block with status information about the contact *}}
{{* End of contact-edit-status-wrapper *}}
@@ -83,38 +83,38 @@
- {{$profileurllabel}} {{$profileurl}}
+ {{$profileurllabel|escape}} {{$profileurl|escape}}
{{if $location}}
{{$location_label}}
- {{$location}}
+ {{$location_label|escape}}
+ {{$location|escape}}
{{/if}}
{{if $xmpp}}
{{$xmpp_label}}
- {{$xmpp}}
+ {{$xmpp_label|escape}}
+ {{$xmpp|escape}}
{{/if}}
{{if $keywords}}
{{$keywords_label}}
- {{$keywords}}
+ {{$keywords_label|escape}}
+ {{$keywords|escape}}
{{/if}}
{{if $about}}
{{$about_label}}
- {{$about}}
+ {{$about_label|escape}}
+ {{$about|escape}}
{{/if}}
@@ -127,14 +127,14 @@
-
+
{{include file="field_checkbox.tpl" field=$notify}}
{{if $fetch_further_information}}
@@ -144,7 +144,7 @@
{{include file="field_checkbox.tpl" field=$hidden}}
- {{$submit}}
+ {{$submit|escape}}
@@ -157,7 +157,7 @@
@@ -167,11 +167,11 @@
{{include file="field_textarea.tpl" field=$cinfo}}
- {{$submit}}
+ {{$submit|escape}}
{{if $reason}}
-
@@ -192,7 +192,7 @@
{{if $profile_select}}
-
{{$profile_select}}
@@ -201,7 +201,7 @@
{{/if}}
- {{$submit}}
+ {{$submit|escape}}
diff --git a/view/theme/frio/templates/contact_template.tpl b/view/theme/frio/templates/contact_template.tpl
index e1c0a7700..4f07ad2b1 100644
--- a/view/theme/frio/templates/contact_template.tpl
+++ b/view/theme/frio/templates/contact_template.tpl
@@ -6,14 +6,14 @@
-
+
{{* For very small displays we use a drobdown menu for contact relating actions *}}
{{* use a smaller picture on very small displays (e.g. mobiles) *}}
-
+
{{* Overlay background on hover the avatar picture *}}
@@ -44,37 +44,37 @@
{{* The contact actions like private mail, delete contact, edit contact and so on *}}
{{if $contact.photo_menu.pm}}
-
+
{{/if}}
{{if $contact.photo_menu.poke}}
-
+
{{/if}}
{{if $contact.photo_menu.network}}
-
+
{{/if}}
{{if $contact.photo_menu.edit}}
-
+
{{/if}}
{{if $contact.photo_menu.drop}}
-
+
{{/if}}
{{if $contact.photo_menu.follow}}
-
+
{{/if}}
{{if $contact.photo_menu.hide}}
-
+
{{/if}}
@@ -84,7 +84,7 @@
{{* The button to add or remove contacts from a contact group - group edit page *}}
{{if $contact.change_member}}
-
+
{{if $contact.label == "members"}}
{{elseif $contact.label == "contacts"}}
@@ -97,7 +97,7 @@
{{* The contact description (e.g. Name, Network, kind of connection and so on *}}
-
{{foreach $exttabs as $tab}} -- {{$tab.label}}
+ - {{$tab.label}}
{{/foreach}}
diff --git a/view/theme/frio/templates/contact_edit.tpl b/view/theme/frio/templates/contact_edit.tpl index 04426eeb1..e7d90ca28 100644 --- a/view/theme/frio/templates/contact_edit.tpl +++ b/view/theme/frio/templates/contact_edit.tpl @@ -1,6 +1,6 @@{{$header}}: {{$name}}{{if $account_type}} ({{$account_type}}){{/if}}
{{/if}} + {{if $header}}{{$header|escape}}: {{$name|escape}}{{if $account_type}} ({{$account_type|escape}}){{/if}}
{{/if}}- {{if $lblsuggest}}- {{$contact_actions.suggest.label}}
{{/if}}
- {{if $poll_enabled}}- {{$contact_actions.update.label}}
{{/if}}
+ {{if $lblsuggest}}- {{$contact_actions.suggest.label|escape}}
{{/if}}
+ {{if $poll_enabled}}- {{$contact_actions.update.label|escape}}
{{/if}}
{{if $lblsuggest || $poll_enabled}}
{{/if}}
- - {{$contact_actions.block.label}}
- - {{$contact_actions.ignore.label}}
- {{if $contact_actions.archive.url}}- {{$contact_actions.archive.label}}
{{/if}}
- {{if $contact_actions.delete.url}}{{$contact_actions.delete.label}} {{/if}}
+ - {{$contact_actions.block.label|escape}}
+ - {{$contact_actions.ignore.label|escape}}
+ {{if $contact_actions.archive.url}}- {{$contact_actions.archive.label|escape}}
{{/if}}
+ {{if $contact_actions.delete.url}}{{$contact_actions.delete.label|escape}} {{/if}}
@@ -35,35 +35,35 @@- {{if $relation_text}}{{$relation_text}} {{/if}}
- {{if $nettype}}{{$nettype}} {{/if}}
+ {{if $relation_text}}{{$relation_text|escape}} {{/if}}
+ {{if $nettype}}{{$nettype|escape}} {{/if}}
{{if $poll_enabled}}
- {{$lastupdtext}} {{$last_update}}
+ {{$lastupdtext|escape}} {{$last_update|escape}}
{{if $poll_interval}}
{{/if}}
{{/if}}
- {{if $lost_contact}}{{$lost_contact}} {{/if}}
- {{if $insecure}}{{$insecure}} {{/if}}
- {{if $blocked && !$pending}}{{$blocked}} {{/if}}
- {{if $pending}}{{$pending}} {{/if}}
- {{if $ignored}}{{$ignored}} {{/if}}
- {{if $archived}}{{$archived}} {{/if}}
+ {{if $lost_contact}}{{$lost_contact|escape}} {{/if}}
+ {{if $insecure}}{{$insecure|escape}} {{/if}}
+ {{if $blocked && !$pending}}{{$blocked|escape}} {{/if}}
+ {{if $pending}}{{$pending|escape}} {{/if}}
+ {{if $ignored}}{{$ignored|escape}} {{/if}}
+ {{if $archived}}{{$archived|escape}} {{/if}}
- - {{if $follow}}{{$follow_text}} {{/if}}
+
+ {{if $follow}}{{$follow_text|escape}} {{/if}}
-
-
-
-
- {{$contact_settings_label}} + {{$contact_settings_label|escape}}
- {{$lbl_info1}} + {{$lbl_info1|escape}}
{{$lbl_info2}}
+{{$lbl_info2|escape}}
{{$reason}}
{{/if}} @@ -184,7 +184,7 @@- {{$lbl_vis1}} + {{$lbl_vis1|escape}}
{{$lbl_vis2}}
+{{$lbl_vis2|escape}}
{{$contact.name}} +
{{$contact.name|escape}} {{if $contact.account_type}} ({{$contact.account_type}}){{/if}} {{if $contact.account_type == 'Forum'}}{{/if}} {{* @todo this needs some changing in core because $contact.account_type contains a translated string which may notbe the same in every language *}} @@ -133,14 +133,14 @@ We use this part to filter the contacts with jquery.textcomplete *}}
-
+
{{* For very small displays we use a drobdown menu for contact relating actions *}}
{{* use a smaller picture on very small displays (e.g. mobiles) *}}
-
+
{{* Overlay background on hover the avatar picture *}}
@@ -172,32 +172,32 @@ We use this part to filter the contacts with jquery.textcomplete *}}
{{* The contact actions like private mail, delete contact, edit contact and so on *}}
{if $photo_menu.pm}
-
+
{/if}
{if $photo_menu.poke}
-
+
{/if}
{if $photo_menu.network}
-
+
{/if}
{if $photo_menu.edit}
-
+
{/if}
{if $photo_menu.drop}
-
+
{/if}
{if $photo_menu.follow}
-
+
{/if}
@@ -207,7 +207,7 @@ We use this part to filter the contacts with jquery.textcomplete *}}
{{* The button to add or remove contacts from a contact group - group edit page *}}
{if $contact.change_member}
-
+
{if $contact.label == "members"}
{elseif $contact.label == "contacts"}
diff --git a/view/theme/frio/templates/credits.tpl b/view/theme/frio/templates/credits.tpl
index 5e5aeecc2..75ab272df 100644
--- a/view/theme/frio/templates/credits.tpl
+++ b/view/theme/frio/templates/credits.tpl
@@ -1,10 +1,10 @@
{{include file="section_title.tpl"}}
-
{{$thanks}}
+{{$thanks|escape}}
{{foreach $names as $name}} -- {{$name}}
+ - {{$name|escape}}
{{/foreach}}
diff --git a/view/theme/frio/templates/crepair.tpl b/view/theme/frio/templates/crepair.tpl index 3d45c6ddc..d4cdec501 100644 --- a/view/theme/frio/templates/crepair.tpl +++ b/view/theme/frio/templates/crepair.tpl @@ -13,7 +13,7 @@