From 39a0f9464d3c4e9a107fd3db49e5ec40d0f3201d Mon Sep 17 00:00:00 2001
From: Dennis Eichhorn <spl1nes.com@googlemail.com>
Date: Mon, 24 Jul 2017 20:48:22 +0200
Subject: [PATCH] Add html escaping

---
 Theme/Backend/editor-create.tpl.php | 18 +++++++++---------
 Theme/Backend/editor-list.tpl.php   | 18 +++++++++---------
 Theme/Backend/editor-single.tpl.php |  2 +-
 Theme/Backend/editor.tpl.php        |  8 ++++----
 4 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/Theme/Backend/editor-create.tpl.php b/Theme/Backend/editor-create.tpl.php
index bf3dc27..a13e277 100644
--- a/Theme/Backend/editor-create.tpl.php
+++ b/Theme/Backend/editor-create.tpl.php
@@ -24,7 +24,7 @@ echo $this->getData('nav')->render(); ?>
             <div class="inner">
                 <form id="fEditor" method="POST" action="<?= \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/api/editor?{?}&csrf={$CSRF}'); ?>">
                     <input name="title" type="text" class="wf-100">
-                    <input type="submit" value="<?= $this->getText('Save'); ?>">
+                    <input type="submit" value="<?= $this->getHtml('Save') ?>">
                 </form>
             </div>
         </section>
@@ -36,9 +36,9 @@ echo $this->getData('nav')->render(); ?>
         <div class="box wf-100">
             <div class="tabular">
                 <ul class="tab-links">
-                    <li><label for="c-tab-1"><?= $this->getText('Start') ?></label>
-                    <li><label for="c-tab-2"><?= $this->getText('Insert') ?></label>
-                    <li><label for="c-tab-3"><?= $this->getText('Layout') ?></label>
+                    <li><label for="c-tab-1"><?= $this->getHtml('Start'); ?></label>
+                    <li><label for="c-tab-2"><?= $this->getHtml('Insert'); ?></label>
+                    <li><label for="c-tab-3"><?= $this->getHtml('Layout'); ?></label>
                 </ul>
                 <div class="tab-content">
                     <input type="radio" id="c-tab-1" name="tabular-1" checked>
@@ -99,8 +99,8 @@ echo $this->getData('nav')->render(); ?>
         <div class="box wf-100">
             <div class="tabular">
                 <ul class="tab-links">
-                    <li><label for="c-tab2-1"><?= $this->getText('Text') ?></label>
-                    <li><label for="c-tab2-2"><?= $this->getText('Preview') ?></label>
+                    <li><label for="c-tab2-1"><?= $this->getHtml('Text'); ?></label>
+                    <li><label for="c-tab2-2"><?= $this->getHtml('Preview'); ?></label>
                 </ul>
                 <div class="tab-content">
                     <input type="radio" id="c-tab2-1" name="tabular-2" checked>
@@ -122,12 +122,12 @@ echo $this->getData('nav')->render(); ?>
             <div class="inner">
                 <form>
                     <table class="layout">
-                        <tr><td colspan="2"><label><?= $this->getText('Permission') ?></label>
+                        <tr><td colspan="2"><label><?= $this->getHtml('Permission'); ?></label>
                         <tr><td><select>
                                     <option>
                                 </select>
-                        <tr><td colspan="2"><label><?= $this->getText('GroupUser') ?></label>
-                        <tr><td><input id="iPermission" name="group" type="text" placeholder="&#xf084;"><td><button><?= $this->getText('Add') ?></button>
+                        <tr><td colspan="2"><label><?= $this->getHtml('GroupUser'); ?></label>
+                        <tr><td><input id="iPermission" name="group" type="text" placeholder="&#xf084;"><td><button><?= $this->getHtml('Add'); ?></button>
                     </table>
                 </form>
             </div>
diff --git a/Theme/Backend/editor-list.tpl.php b/Theme/Backend/editor-list.tpl.php
index d993e6e..a11ce70 100644
--- a/Theme/Backend/editor-list.tpl.php
+++ b/Theme/Backend/editor-list.tpl.php
@@ -28,25 +28,25 @@ echo $this->getData('nav')->render(); ?>
     <div class="col-xs-12">
         <div class="box wf-100">
             <table class="table red">
-                <caption><?= $this->getText('Documents'); ?></caption>
+                <caption><?= $this->getHtml('Documents') ?></caption>
                 <thead>
                 <tr>
-                    <td class="wf-100"><?= $this->getText('Title'); ?>
-                    <td><?= $this->getText('Creator'); ?>
-                    <td><?= $this->getText('Created'); ?>
+                    <td class="wf-100"><?= $this->getHtml('Title') ?>
+                    <td><?= $this->getHtml('Creator') ?>
+                    <td><?= $this->getHtml('Created') ?>
                 <tfoot>
                 <tr>
-                    <td colspan="3"><?= $footerView->render(); ?>
+                    <td colspan="3"><?= htmlspecialchars($footerView->render(), ENT_COMPAT, 'utf-8'); ?>
                 <tbody>
                 <?php $count = 0; foreach($docs as $key => $value) : $count++;
                 $url = \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/backend/editor/single?{?}&id=' . $value->getId()); ?>
                     <tr data-href="<?= $url; ?>">
-                        <td><a href="<?= $url; ?>"><?= $value->getTitle(); ?></a>
-                        <td><a href="<?= $url; ?>"><?= $value->getCreatedBy()->getName1(); ?></a>
-                        <td><a href="<?= $url; ?>"><?= $value->getCreatedAt()->format('Y-m-d H:i:s'); ?></a>
+                        <td><a href="<?= $url; ?>"><?= htmlspecialchars($value->getTitle(), ENT_COMPAT, 'utf-8'); ?></a>
+                        <td><a href="<?= $url; ?>"><?= htmlspecialchars($value->getCreatedBy()->getName1(), ENT_COMPAT, 'utf-8'); ?></a>
+                        <td><a href="<?= $url; ?>"><?= htmlspecialchars($value->getCreatedAt()->format('Y-m-d H:i:s'), ENT_COMPAT, 'utf-8'); ?></a>
                 <?php endforeach; ?>
                 <?php if($count === 0) : ?>
-                <tr><td colspan="5" class="empty"><?= $this->getText('Empty', 0, 0); ?>
+                <tr><td colspan="5" class="empty"><?= $this->getHtml('Empty', 0, 0); ?>
                         <?php endif; ?>
             </table>
         </div>
diff --git a/Theme/Backend/editor-single.tpl.php b/Theme/Backend/editor-single.tpl.php
index 7737b33..cec0e46 100644
--- a/Theme/Backend/editor-single.tpl.php
+++ b/Theme/Backend/editor-single.tpl.php
@@ -1,4 +1,4 @@
-<?= $this->getData('nav')->render(); ?>
+<?= htmlspecialchars($this->getData('nav')->render(), ENT_COMPAT, 'utf-8'); ?>
 
 <div class="row">
     <div class="col-xs-12">
diff --git a/Theme/Backend/editor.tpl.php b/Theme/Backend/editor.tpl.php
index 3afe7c1..24ddf0a 100644
--- a/Theme/Backend/editor.tpl.php
+++ b/Theme/Backend/editor.tpl.php
@@ -45,19 +45,19 @@ $doc = $this->getData('doc') ?? null;
     <div class="box wf-100">
         <div class="tabular">
             <ul class="tab-links">
-                <li><label for="c-tab-1"><?= $this->getText('Text') ?></label>
-                <li><label for="c-tab-2"><?= $this->getText('Preview') ?></label>
+                <li><label for="c-tab-1"><?= $this->getHtml('Text'); ?></label>
+                <li><label for="c-tab-2"><?= $this->getHtml('Preview'); ?></label>
             </ul>
             <div class="tab-content">
                 <input type="radio" id="c-tab-1" name="tabular-1" checked>
 
                 <div class="tab">
-                    <textarea style="height: 300px" placeholder="&#xf040;" name="plain" form="docForm"><?= isset($doc) ? $doc->getPlain() : ''; ?></textarea><input type="hidden" id="iParsed" name="parsed">
+                    <textarea style="height: 300px" placeholder="&#xf040;" name="plain" form="docForm"><?= htmlspecialchars(isset($doc) ? $doc->getPlain() : '', ENT_COMPAT, 'utf-8'); ?></textarea><input type="hidden" id="iParsed" name="parsed">
                 </div>
                 <input type="radio" id="c-tab-2" name="tabular-1">
 
                 <div class="tab">
-                    <?= isset($doc) ? $doc->getContent() : ''; ?>
+                    <?= htmlspecialchars(isset($doc) ? $doc->getContent() : '', ENT_COMPAT, 'utf-8'); ?>
                 </div>
             </div>
         </div>