From 6b23b83fb5d68536eb33fd78e2c99787977f2c1e Mon Sep 17 00:00:00 2001
From: Dennis Eichhorn <spl1nes.com@googlemail.com>
Date: Mon, 24 Jul 2017 20:48:22 +0200
Subject: [PATCH] Add html escaping

---
 Theme/Backend/comment-create.tpl.php | 16 ++++++++--------
 Theme/Backend/comment-list.tpl.php   | 12 ++++++------
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/Theme/Backend/comment-create.tpl.php b/Theme/Backend/comment-create.tpl.php
index 4920d71..c3fa317 100644
--- a/Theme/Backend/comment-create.tpl.php
+++ b/Theme/Backend/comment-create.tpl.php
@@ -29,9 +29,9 @@ echo $this->getData('nav')->render(); ?>
 <div class="box w-100">
     <div class="tabular">
         <ul class="tab-links">
-            <li><label for="c-tab-1"><?= $this->getText('Start') ?></label>
-            <li><label for="c-tab-2"><?= $this->getText('Insert') ?></label>
-            <li><label for="c-tab-3"><?= $this->getText('Layout') ?></label>
+            <li><label for="c-tab-1"><?= $this->getHtml('Start'); ?></label>
+            <li><label for="c-tab-2"><?= $this->getHtml('Insert'); ?></label>
+            <li><label for="c-tab-3"><?= $this->getHtml('Layout'); ?></label>
         </ul>
         <div class="tab-content">
             <input type="radio" id="c-tab-1" name="tabular-1" checked>
@@ -88,8 +88,8 @@ echo $this->getData('nav')->render(); ?>
 <div class="box w-100">
     <div class="tabular">
         <ul class="tab-links">
-            <li><label for="c-tab2-1"><?= $this->getText('Text') ?></label>
-            <li><label for="c-tab2-2"><?= $this->getText('Preview') ?></label>
+            <li><label for="c-tab2-1"><?= $this->getHtml('Text'); ?></label>
+            <li><label for="c-tab2-2"><?= $this->getHtml('Preview'); ?></label>
         </ul>
         <div class="tab-content">
             <input type="radio" id="c-tab2-1" name="tabular-2" checked>
@@ -107,12 +107,12 @@ echo $this->getData('nav')->render(); ?>
     <div class="inner">
         <form>
             <table class="layout">
-                <tr><td colspan="2"><label><?= $this->getText('Permission') ?></label>
+                <tr><td colspan="2"><label><?= $this->getHtml('Permission'); ?></label>
                 <tr><td><select>
                             <option>
                         </select>
-                <tr><td colspan="2"><label><?= $this->getText('GroupUser') ?></label>
-                <tr><td><input id="iPermission" name="group" type="text" placeholder="&#xf084;"><td><button><?= $this->getText('Add') ?></button>
+                <tr><td colspan="2"><label><?= $this->getHtml('GroupUser'); ?></label>
+                <tr><td><input id="iPermission" name="group" type="text" placeholder="&#xf084;"><td><button><?= $this->getHtml('Add'); ?></button>
             </table>
         </form>
     </div>
diff --git a/Theme/Backend/comment-list.tpl.php b/Theme/Backend/comment-list.tpl.php
index bbcdf85..2d664b0 100644
--- a/Theme/Backend/comment-list.tpl.php
+++ b/Theme/Backend/comment-list.tpl.php
@@ -24,20 +24,20 @@ $footerView->setPage(1);
 echo $this->getData('nav')->render(); ?>
 <div class="box">
     <table class="table red">
-        <caption><?= $this->getText('Documents'); ?></caption>
+        <caption><?= $this->getHtml('Documents') ?></caption>
         <thead>
         <tr>
-            <td class="wf-100"><?= $this->getText('Name'); ?>
-            <td><?= $this->getText('Creator'); ?>
-            <td><?= $this->getText('Created'); ?>
+            <td class="wf-100"><?= $this->getHtml('Name') ?>
+            <td><?= $this->getHtml('Creator') ?>
+            <td><?= $this->getHtml('Created') ?>
         <tfoot>
         <tr>
-            <td colspan="3"><?= $footerView->render(); ?>
+            <td colspan="3"><?= htmlspecialchars($footerView->render(), ENT_COMPAT, 'utf-8'); ?>
         <tbody>
         <?php $count = 0; foreach([] as $key => $value) : $count++; ?>
         <?php endforeach; ?>
         <?php if($count === 0) : ?>
-        <tr><td colspan="5" class="empty"><?= $this->getText('Empty', 0, 0); ?>
+        <tr><td colspan="5" class="empty"><?= $this->getHtml('Empty', 0, 0); ?>
                 <?php endif; ?>
     </table>
 </div>