From 0bba3c691326763ce3d49783e94810aa47385210 Mon Sep 17 00:00:00 2001
From: Dennis Eichhorn <spl1nes.com@googlemail.com>
Date: Mon, 24 Jul 2017 20:48:22 +0200
Subject: [PATCH] Add html escaping

---
 Theme/Backend/media-create.tpl.php | 10 +++++-----
 Theme/Backend/media-list.tpl.php   | 28 ++++++++++++++--------------
 Theme/Backend/media-single.tpl.php | 14 +++++++-------
 3 files changed, 26 insertions(+), 26 deletions(-)
diff --git a/Theme/Backend/media-create.tpl.php b/Theme/Backend/media-create.tpl.php
index 41f0fd1..1e27ef6 100644
--- a/Theme/Backend/media-create.tpl.php
+++ b/Theme/Backend/media-create.tpl.php
@@ -20,17 +20,17 @@ echo $this->getData('nav')->render(); ?>
 <div class="row">
     <div class="col-xs-12 col-md-6">
         <section class="box wf-100">
-            <header><h1><?= $this->getText('Upload'); ?></h1></header>
+            <header><h1><?= $this->getHtml('Upload') ?></h1></header>
             <div class="inner">
                 <form method="POST" id="media-uploader" action="<?= \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/api/media'); ?>">
                     <table class="layout wf-100">
-                        <tr><td><label for="iName"><?= $this->getText('Name'); ?></label>
+                        <tr><td><label for="iName"><?= $this->getHtml('Name') ?></label>
                         <tr><td><input type="text" id="iName" name="name" placeholder="&#xf040;">
-                        <tr><td><label for="iDescription"><?= $this->getText('Description'); ?></label>
+                        <tr><td><label for="iDescription"><?= $this->getHtml('Description') ?></label>
                         <tr><td><textarea id="iDescription" name="description"></textarea>
-                        <tr><td><label for="iFiles"><?= $this->getText('Files'); ?></label>
+                        <tr><td><label for="iFiles"><?= $this->getHtml('Files') ?></label>
                         <tr><td><input type="file" id="iFiles" name="files" multiple><input name="media" type="hidden">
-                        <tr><td><input type="submit" value="<?= $this->getText('Create', 0, 0); ?>">
+                        <tr><td><input type="submit" value="<?= $this->getHtml('Create', 0, 0); ?>">
                     </table>
                 </form>
             </div>
diff --git a/Theme/Backend/media-list.tpl.php b/Theme/Backend/media-list.tpl.php
index 4864860..312919a 100644
--- a/Theme/Backend/media-list.tpl.php
+++ b/Theme/Backend/media-list.tpl.php
@@ -28,18 +28,18 @@ echo $this->getData('nav')->render(); ?>
     <div class="col-xs-12">
         <div class="box wf-100">
             <table class="table red">
-                <caption><?= $this->getText('Media'); ?></caption>
+                <caption><?= $this->getHtml('Media') ?></caption>
                 <thead>
                 <tr>
                     <td>
-                    <td class="wf-100"><?= $this->getText('Name'); ?>
-                    <td><?= $this->getText('Type'); ?>
-                    <td><?= $this->getText('Size'); ?>
-                    <td><?= $this->getText('Creator'); ?>
-                    <td><?= $this->getText('Created'); ?>
+                    <td class="wf-100"><?= $this->getHtml('Name') ?>
+                    <td><?= $this->getHtml('Type') ?>
+                    <td><?= $this->getHtml('Size') ?>
+                    <td><?= $this->getHtml('Creator') ?>
+                    <td><?= $this->getHtml('Created') ?>
                         <tfoot>
                 <tr>
-                    <td colspan="3"><?= $footerView->render(); ?>
+                    <td colspan="3"><?= htmlspecialchars($footerView->render(), ENT_COMPAT, 'utf-8'); ?>
                         <tbody>
                         <?php $count = 0; foreach($media as $key => $value) : $count++;
                         $url = \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/backend/media/single?{?}&id=' . $value->getId()); 
@@ -72,15 +72,15 @@ echo $this->getData('nav')->render(); ?>
                         }
                         ?>
                         <tr data-href="<?= $url; ?>">
-                            <td><a href="<?= $url; ?>"><i class="fa fa-<?= $icon; ?>"></i></a>
-                            <td><a href="<?= $url; ?>"><?= $value->getName(); ?></a>
-                            <td><a href="<?= $url; ?>"><?= $value->getExtension(); ?></a>
-                            <td><a href="<?= $url; ?>"><?= $value->getSize(); ?></a>
-                            <td><a href="<?= $url; ?>"><?= $value->getCreatedBy(); ?></a>
-                            <td><a href="<?= $url; ?>"><?= $value->getCreatedAt()->format('Y-m-d H:i:s'); ?></a>
+                            <td><a href="<?= $url; ?>"><i class="fa fa-<?= htmlspecialchars($icon, ENT_COMPAT, 'utf-8'); ?>"></i></a>
+                            <td><a href="<?= $url; ?>"><?= htmlspecialchars($value->getName(), ENT_COMPAT, 'utf-8'); ?></a>
+                            <td><a href="<?= $url; ?>"><?= htmlspecialchars($value->getExtension(), ENT_COMPAT, 'utf-8'); ?></a>
+                            <td><a href="<?= $url; ?>"><?= htmlspecialchars($value->getSize(), ENT_COMPAT, 'utf-8'); ?></a>
+                            <td><a href="<?= $url; ?>"><?= htmlspecialchars($value->getCreatedBy(), ENT_COMPAT, 'utf-8'); ?></a>
+                            <td><a href="<?= $url; ?>"><?= htmlspecialchars($value->getCreatedAt()->format('Y-m-d H:i:s'), ENT_COMPAT, 'utf-8'); ?></a>
                         <?php endforeach; ?>
                         <?php if($count === 0) : ?>
-                <tr><td colspan="5" class="empty"><?= $this->getText('Empty', 0, 0); ?>
+                <tr><td colspan="5" class="empty"><?= $this->getHtml('Empty', 0, 0); ?>
                         <?php endif; ?>
             </table>
         </div>
diff --git a/Theme/Backend/media-single.tpl.php b/Theme/Backend/media-single.tpl.php
index 18c37d0..104e420 100644
--- a/Theme/Backend/media-single.tpl.php
+++ b/Theme/Backend/media-single.tpl.php
@@ -25,18 +25,18 @@ echo $this->getData('nav')->render();
 <div class="row">
     <div class="col-xs-12">
         <section class="box wf-100">
-            <header><h1><?= $media->getName() ?></h1></header>
+            <header><h1><?= htmlspecialchars($media->getName() , ENT_COMPAT, 'utf-8'); ?></h1></header>
             <div class="inner">
                 <table class="list w-100">
                     <tbody>
-                        <tr><td>Size<td class="wf-100"><?= $media->getSize(); ?>
-                        <tr><td>Created at<td><?= $media->getCreatedAt()->format('Y-m-d'); ?>
-                        <tr><td>Created by<td><?= $media->getCreatedBy(); ?>
-                        <tr><td>Description<td><?= $media->getDescription(); ?>
+                        <tr><td>Size<td class="wf-100"><?= htmlspecialchars($media->getSize(), ENT_COMPAT, 'utf-8'); ?>
+                        <tr><td>Created at<td><?= htmlspecialchars($media->getCreatedAt()->format('Y-m-d'), ENT_COMPAT, 'utf-8'); ?>
+                        <tr><td>Created by<td><?= htmlspecialchars($media->getCreatedBy(), ENT_COMPAT, 'utf-8'); ?>
+                        <tr><td>Description<td><?= htmlspecialchars($media->getDescription(), ENT_COMPAT, 'utf-8'); ?>
                         <tr><td colspan="2">Content
                 </table>
                 <?php if(\phpOMS\System\File\FileUtils::getExtensionType($media->getExtension()) === \phpOMS\System\File\ExtensionType::IMAGE) : ?>
-                    <div class="h-overflow"><img src="<?= $this->request->getUri()->getBase() . $media->getPath(); ?>"></div>
+                    <div class="h-overflow"><img src="<?= htmlspecialchars($this->request->getUri()->getBase() . $media->getPath(), ENT_COMPAT, 'utf-8'); ?>"></div>
                 <?php elseif($media->getExtension() === 'collection') : ?>
                     collection
                 <?php else : ?>
@@ -45,7 +45,7 @@ echo $this->getData('nav')->render();
                     $output = htmlspecialchars(file_get_contents(__DIR__ . '/../../../../' . $media->getPath()));
                     $output = str_replace(["\r\n", "\r"], "\n", $output);
                     $output = explode("\n", $output);
-                    foreach($output as $line) : ?><span><?= $line; ?></span><?php endforeach; ?>
+                    foreach($output as $line) : ?><span><?= htmlspecialchars($line, ENT_COMPAT, 'utf-8'); ?></span><?php endforeach; ?>
                     </pre>
                 <?php endif; ?>
             </div>

-	getText('Name'); ?> -	getText('Type'); ?> -	getText('Size'); ?> -	getText('Creator'); ?> -	getText('Created'); ?> +	getHtml('Name') ?> +	getHtml('Type') ?> +	getHtml('Size') ?> +	getHtml('Creator') ?> +	getHtml('Created') ?>
render(); ?> +			render(), ENT_COMPAT, 'utf-8'); ?>
-	getName(); ?> -	getExtension(); ?> -	getSize(); ?> -	getCreatedBy(); ?> -	getCreatedAt()->format('Y-m-d H:i:s'); ?> +	+	getName(), ENT_COMPAT, 'utf-8'); ?> +	getExtension(), ENT_COMPAT, 'utf-8'); ?> +	getSize(), ENT_COMPAT, 'utf-8'); ?> +	getCreatedBy(), ENT_COMPAT, 'utf-8'); ?> +	getCreatedAt()->format('Y-m-d H:i:s'), ENT_COMPAT, 'utf-8'); ?> -
getText('Empty', 0, 0); ?> +
getHtml('Empty', 0, 0); ?>
Size	getSize(); ?> -
Created at	getCreatedAt()->format('Y-m-d'); ?> -
Created by	getCreatedBy(); ?> -
Description	getDescription(); ?> +
Size	getSize(), ENT_COMPAT, 'utf-8'); ?> +
Created at	getCreatedAt()->format('Y-m-d'), ENT_COMPAT, 'utf-8'); ?> +
Created by	getCreatedBy(), ENT_COMPAT, 'utf-8'); ?> +
Description	getDescription(), ENT_COMPAT, 'utf-8'); ?>
Content