From 9e1194082d6461bda0003fafba2abd90fd4d07af Mon Sep 17 00:00:00 2001
From: Dennis Eichhorn <spl1nes.com@googlemail.com>
Date: Mon, 24 Jul 2017 20:48:22 +0200
Subject: [PATCH] Add html escaping

---
 Theme/Backend/dashboard.tpl.php        | 34 +++++++++++++-------------
 Theme/Backend/mail-create.tpl.php      | 10 ++++----
 Theme/Backend/mail-out-view.tpl.php    | 26 ++++++++++----------
 Theme/Backend/mail-spam-view.tpl.php   | 26 ++++++++++----------
 Theme/Backend/mail-trash-view.tpl.php  | 26 ++++++++++----------
 Theme/Backend/mail-view.tpl.php        |  4 +--
 Theme/Backend/message-settings.tpl.php | 34 +++++++++++++-------------
 7 files changed, 80 insertions(+), 80 deletions(-)

diff --git a/Theme/Backend/dashboard.tpl.php b/Theme/Backend/dashboard.tpl.php
index b11c2aa..3f27e38 100644
--- a/Theme/Backend/dashboard.tpl.php
+++ b/Theme/Backend/dashboard.tpl.php
@@ -22,46 +22,46 @@ echo $this->getData('nav')->render(); ?>
 
 <section class="box w-100">
     <ul class="btns floatLeft">
-        <li><a href="<?= \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/backend/messages/mail/create'); ?>"><i class="fa fa-pencil"></i> <?{?}= $this->getText('Create', 0, 0); ?></a>
-        <li><a href=""><i class="fa fa-trash"></i> <?= $this->getText('Delete'); ?></a>
+        <li><a href="<?= \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/backend/messages/mail/create'); ?>"><i class="fa fa-pencil"></i> <?{?}= $this->getHtml('Create', 0, 0); ?></a>
+        <li><a href=""><i class="fa fa-trash"></i> <?= $this->getHtml('Delete') ?></a>
     </ul>
 </section>
 
 <div class="box w-100">
     <table class="table red">
-        <caption><?= $this->getText('Messages'); ?></caption>
+        <caption><?= $this->getHtml('Messages') ?></caption>
         <thead>
         <tr>
             <td><span class="check"><input type="checkbox"></span>
-            <td><?= $this->getText('Tag'); ?>
-            <td class="wf-100"><?= $this->getText('Subject'); ?>
-            <td><?= $this->getText('From'); ?>
-            <td><?= $this->getText('Date'); ?>
+            <td><?= $this->getHtml('Tag') ?>
+            <td class="wf-100"><?= $this->getHtml('Subject') ?>
+            <td><?= $this->getHtml('From') ?>
+            <td><?= $this->getHtml('Date') ?>
         <tfoot>
-        <tr><td colspan="5"><?= \phpOMS\Utils\Converter\File::kilobyteSizeToString($quota['usage']); ?> / <?= \phpOMS\Utils\Converter\File::kilobyteSizeToString($quota['limit']); ?>
+        <tr><td colspan="5"><?= htmlspecialchars(\phpOMS\Utils\Converter\File::kilobyteSizeToString($quota['usage']), ENT_COMPAT, 'utf-8'); ?> / <?= htmlspecialchars(\phpOMS\Utils\Converter\File::kilobyteSizeToString($quota['limit']), ENT_COMPAT, 'utf-8'); ?>
         <tbody>
             <?php $count = 0; foreach($unseen as $key => $value) : $count++;
             $url = \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/backend/messages/mail/single?{?}&id=' . $value->uid); ?>
             <tr>
                 <td><span class="check"><input type="checkbox"></span>
-                <td><a href="<?= $url; ?>"<?= $value->seen == 0 ? ' class="unseen"' : ''; ?>></a>
-                <td><a href="<?= $url; ?>"<?= $value->seen == 0 ? ' class="unseen"' : ''; ?>><?= str_replace('_',' ', mb_decode_mimeheader($value->subject)); ?></a>
-                <td><a href="<?= $url; ?>"<?= $value->seen == 0 ? ' class="unseen"' : ''; ?>><?= $value->from; ?></a>
-                <td><a href="<?= $url; ?>"<?= $value->seen == 0 ? ' class="unseen"' : ''; ?>><?= (new \DateTime($value->date))->format('Y-m-d H:i:s'); ?></a>
+                <td><a href="<?= $url; ?>"<?= htmlspecialchars($value->seen == 0 ? ' class="unseen"' : '', ENT_COMPAT, 'utf-8'); ?>></a>
+                <td><a href="<?= $url; ?>"<?= htmlspecialchars($value->seen == 0 ? ' class="unseen"' : '', ENT_COMPAT, 'utf-8'); ?>><?= htmlspecialchars(str_replace('_',' ', mb_decode_mimeheader($value->subject)), ENT_COMPAT, 'utf-8'); ?></a>
+                <td><a href="<?= $url; ?>"<?= htmlspecialchars($value->seen == 0 ? ' class="unseen"' : '', ENT_COMPAT, 'utf-8'); ?>><?= htmlspecialchars($value->from, ENT_COMPAT, 'utf-8'); ?></a>
+                <td><a href="<?= $url; ?>"<?= htmlspecialchars($value->seen == 0 ? ' class="unseen"' : '', ENT_COMPAT, 'utf-8'); ?>><?= htmlspecialchars((new \DateTime($value->date))->format('Y-m-d H:i:s'), ENT_COMPAT, 'utf-8'); ?></a>
             <?php endforeach; ?>
 
                     <?php foreach($seen as $key => $value) : $count++;
                     $url = \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/backend/messages/mail/single?{?}&id=' . $value->uid); ?>
             <tr>
                 <td><span class="check"><input type="checkbox"></span>
-                <td><a href="<?= $url; ?>"<?= $value->seen == 0 ? ' class="unseen"' : ''; ?>></a>
-                <td><a href="<?= $url; ?>"<?= $value->seen == 0 ? ' class="unseen"' : ''; ?>><?= str_replace('_',' ', mb_decode_mimeheader($value->subject)); ?></a>
-                <td><a href="<?= $url; ?>"<?= $value->seen == 0 ? ' class="unseen"' : ''; ?>><?= $value->from; ?></a>
-                <td><a href="<?= $url; ?>"<?= $value->seen == 0 ? ' class="unseen"' : ''; ?>><?= (new \DateTime($value->date))->format('Y-m-d H:i:s'); ?></a>
+                <td><a href="<?= $url; ?>"<?= htmlspecialchars($value->seen == 0 ? ' class="unseen"' : '', ENT_COMPAT, 'utf-8'); ?>></a>
+                <td><a href="<?= $url; ?>"<?= htmlspecialchars($value->seen == 0 ? ' class="unseen"' : '', ENT_COMPAT, 'utf-8'); ?>><?= htmlspecialchars(str_replace('_',' ', mb_decode_mimeheader($value->subject)), ENT_COMPAT, 'utf-8'); ?></a>
+                <td><a href="<?= $url; ?>"<?= htmlspecialchars($value->seen == 0 ? ' class="unseen"' : '', ENT_COMPAT, 'utf-8'); ?>><?= htmlspecialchars($value->from, ENT_COMPAT, 'utf-8'); ?></a>
+                <td><a href="<?= $url; ?>"<?= htmlspecialchars($value->seen == 0 ? ' class="unseen"' : '', ENT_COMPAT, 'utf-8'); ?>><?= htmlspecialchars((new \DateTime($value->date))->format('Y-m-d H:i:s'), ENT_COMPAT, 'utf-8'); ?></a>
                     <?php endforeach; ?>
             <?php if($count < 1) : ?>
         <tr>
-            <td colspan="5" class="empty"><?= $this->getText('Empty', 0, 0); ?>
+            <td colspan="5" class="empty"><?= $this->getHtml('Empty', 0, 0); ?>
         <?php endif; ?>
     </table>
 </div>
diff --git a/Theme/Backend/mail-create.tpl.php b/Theme/Backend/mail-create.tpl.php
index e9d417c..629d2da 100644
--- a/Theme/Backend/mail-create.tpl.php
+++ b/Theme/Backend/mail-create.tpl.php
@@ -18,13 +18,13 @@ echo $this->getData('nav')->render(); ?>
     <div class="inner">
         <form>
             <table class="layout wf-100">
-                <tr><td style="width: 1%"><button class="simple"><i class="fa fa-book"></i></button><td><input type="text" placeholder="&#xf007; <?= $this->getText('To'); ?>" name="to">
-                <tr><td style="width: 1%"><button class="simple"><i class="fa fa-book"></i></button><td><input type="text" placeholder="&#xf007; <?= $this->getText('CC'); ?>" name="cc">
-                <tr><td style="width: 1%"><button class="simple"><i class="fa fa-book"></i></button><td><input type="text" placeholder="&#xf007; <?= $this->getText('BCC'); ?>" name="bcc">
-                <tr><td><td><input type="text" placeholder="&#xf040; <?= $this->getText('Subject'); ?>" name="subject">
+                <tr><td style="width: 1%"><button class="simple"><i class="fa fa-book"></i></button><td><input type="text" placeholder="&#xf007; <?= $this->getHtml('To') ?>" name="to">
+                <tr><td style="width: 1%"><button class="simple"><i class="fa fa-book"></i></button><td><input type="text" placeholder="&#xf007; <?= $this->getHtml('CC') ?>" name="cc">
+                <tr><td style="width: 1%"><button class="simple"><i class="fa fa-book"></i></button><td><input type="text" placeholder="&#xf007; <?= $this->getHtml('BCC') ?>" name="bcc">
+                <tr><td><td><input type="text" placeholder="&#xf040; <?= $this->getHtml('Subject') ?>" name="subject">
                 <tr><td><td><input type="file" name="files" multiple>
                 <tr><td><td><div class="textarea" contenteditable="true" style="height: 400px;"></div><textarea placeholder="&#xf040;" style="display: none" name="mail"></textarea>
-                <tr><td><td><input type="submit" value="<?= $this->getText('Send', 0); ?>"> <input type="submit" value="<?= $this->getText('Save', 0); ?>">
+                <tr><td><td><input type="submit" value="<?= $this->getHtml('Send', 0) ?>"> <input type="submit" value="<?= $this->getHtml('Save', 0) ?>">
             </table>
         </form>
     </div>
diff --git a/Theme/Backend/mail-out-view.tpl.php b/Theme/Backend/mail-out-view.tpl.php
index 4e5664a..c6f8b3d 100644
--- a/Theme/Backend/mail-out-view.tpl.php
+++ b/Theme/Backend/mail-out-view.tpl.php
@@ -21,36 +21,36 @@ echo $this->getData('nav')->render(); ?>
 
 <section class="box w-100">
     <ul class="btns floatLeft">
-        <li><a href="<?= \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/backend/messages/mail/create'); ?>"><i class="fa fa-pencil"></i> <?{?}= $this->getText('Create', 0, 0); ?></a>
-        <li><a href=""><i class="fa fa-trash"></i> <?= $this->getText('Delete'); ?></a>
+        <li><a href="<?= \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/backend/messages/mail/create'); ?>"><i class="fa fa-pencil"></i> <?{?}= $this->getHtml('Create', 0, 0); ?></a>
+        <li><a href=""><i class="fa fa-trash"></i> <?= $this->getHtml('Delete') ?></a>
     </ul>
 </section>
 
 <div class="box w-100">
     <table class="table red">
-        <caption><?= $this->getText('Messages'); ?></caption>
+        <caption><?= $this->getHtml('Messages') ?></caption>
         <thead>
         <tr>
             <td><span class="check"><input type="checkbox"></span>
-            <td><?= $this->getText('Tag'); ?>
-            <td class="wf-100"><?= $this->getText('Subject'); ?>
-            <td><?= $this->getText('From'); ?>
-            <td><?= $this->getText('Date'); ?>
+            <td><?= $this->getHtml('Tag') ?>
+            <td class="wf-100"><?= $this->getHtml('Subject') ?>
+            <td><?= $this->getHtml('From') ?>
+            <td><?= $this->getHtml('Date') ?>
         <tfoot>
-        <tr><td colspan="5"><?= \phpOMS\Utils\Converter\File::kilobyteSizeToString($quota['usage']); ?> / <?= \phpOMS\Utils\Converter\File::kilobyteSizeToString($quota['limit']); ?>
+        <tr><td colspan="5"><?= htmlspecialchars(\phpOMS\Utils\Converter\File::kilobyteSizeToString($quota['usage']), ENT_COMPAT, 'utf-8'); ?> / <?= htmlspecialchars(\phpOMS\Utils\Converter\File::kilobyteSizeToString($quota['limit']), ENT_COMPAT, 'utf-8'); ?>
         <tbody>
         <?php $count = 0; foreach($sent as $key => $value) : $count++;
         $url = \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/backend/messages/mail/single?{?}&id=' . $value->uid); ?>
         <tr>
             <td><span class="check"><input type="checkbox"></span>
-            <td><a href="<?= $url; ?>"<?= $value->seen == 0 ? ' class="unseen"' : ''; ?>></a>
-            <td><a href="<?= $url; ?>"<?= $value->seen == 0 ? ' class="unseen"' : ''; ?>><?= str_replace('_',' ', mb_decode_mimeheader($value->subject)); ?></a>
-            <td><a href="<?= $url; ?>"<?= $value->seen == 0 ? ' class="unseen"' : ''; ?>><?= $value->from; ?></a>
-            <td><a href="<?= $url; ?>"<?= $value->seen == 0 ? ' class="unseen"' : ''; ?>><?= (new \DateTime($value->date))->format('Y-m-d H:i:s'); ?></a>
+            <td><a href="<?= $url; ?>"<?= htmlspecialchars($value->seen == 0 ? ' class="unseen"' : '', ENT_COMPAT, 'utf-8'); ?>></a>
+            <td><a href="<?= $url; ?>"<?= htmlspecialchars($value->seen == 0 ? ' class="unseen"' : '', ENT_COMPAT, 'utf-8'); ?>><?= htmlspecialchars(str_replace('_',' ', mb_decode_mimeheader($value->subject)), ENT_COMPAT, 'utf-8'); ?></a>
+            <td><a href="<?= $url; ?>"<?= htmlspecialchars($value->seen == 0 ? ' class="unseen"' : '', ENT_COMPAT, 'utf-8'); ?>><?= htmlspecialchars($value->from, ENT_COMPAT, 'utf-8'); ?></a>
+            <td><a href="<?= $url; ?>"<?= htmlspecialchars($value->seen == 0 ? ' class="unseen"' : '', ENT_COMPAT, 'utf-8'); ?>><?= htmlspecialchars((new \DateTime($value->date))->format('Y-m-d H:i:s'), ENT_COMPAT, 'utf-8'); ?></a>
                 <?php endforeach; ?>
                 <?php if($count < 1) : ?>
         <tr>
-            <td colspan="5" class="empty"><?= $this->getText('Empty', 0, 0); ?>
+            <td colspan="5" class="empty"><?= $this->getHtml('Empty', 0, 0); ?>
                 <?php endif; ?>
     </table>
 </div>
diff --git a/Theme/Backend/mail-spam-view.tpl.php b/Theme/Backend/mail-spam-view.tpl.php
index 4e5664a..c6f8b3d 100644
--- a/Theme/Backend/mail-spam-view.tpl.php
+++ b/Theme/Backend/mail-spam-view.tpl.php
@@ -21,36 +21,36 @@ echo $this->getData('nav')->render(); ?>
 
 <section class="box w-100">
     <ul class="btns floatLeft">
-        <li><a href="<?= \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/backend/messages/mail/create'); ?>"><i class="fa fa-pencil"></i> <?{?}= $this->getText('Create', 0, 0); ?></a>
-        <li><a href=""><i class="fa fa-trash"></i> <?= $this->getText('Delete'); ?></a>
+        <li><a href="<?= \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/backend/messages/mail/create'); ?>"><i class="fa fa-pencil"></i> <?{?}= $this->getHtml('Create', 0, 0); ?></a>
+        <li><a href=""><i class="fa fa-trash"></i> <?= $this->getHtml('Delete') ?></a>
     </ul>
 </section>
 
 <div class="box w-100">
     <table class="table red">
-        <caption><?= $this->getText('Messages'); ?></caption>
+        <caption><?= $this->getHtml('Messages') ?></caption>
         <thead>
         <tr>
             <td><span class="check"><input type="checkbox"></span>
-            <td><?= $this->getText('Tag'); ?>
-            <td class="wf-100"><?= $this->getText('Subject'); ?>
-            <td><?= $this->getText('From'); ?>
-            <td><?= $this->getText('Date'); ?>
+            <td><?= $this->getHtml('Tag') ?>
+            <td class="wf-100"><?= $this->getHtml('Subject') ?>
+            <td><?= $this->getHtml('From') ?>
+            <td><?= $this->getHtml('Date') ?>
         <tfoot>
-        <tr><td colspan="5"><?= \phpOMS\Utils\Converter\File::kilobyteSizeToString($quota['usage']); ?> / <?= \phpOMS\Utils\Converter\File::kilobyteSizeToString($quota['limit']); ?>
+        <tr><td colspan="5"><?= htmlspecialchars(\phpOMS\Utils\Converter\File::kilobyteSizeToString($quota['usage']), ENT_COMPAT, 'utf-8'); ?> / <?= htmlspecialchars(\phpOMS\Utils\Converter\File::kilobyteSizeToString($quota['limit']), ENT_COMPAT, 'utf-8'); ?>
         <tbody>
         <?php $count = 0; foreach($sent as $key => $value) : $count++;
         $url = \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/backend/messages/mail/single?{?}&id=' . $value->uid); ?>
         <tr>
             <td><span class="check"><input type="checkbox"></span>
-            <td><a href="<?= $url; ?>"<?= $value->seen == 0 ? ' class="unseen"' : ''; ?>></a>
-            <td><a href="<?= $url; ?>"<?= $value->seen == 0 ? ' class="unseen"' : ''; ?>><?= str_replace('_',' ', mb_decode_mimeheader($value->subject)); ?></a>
-            <td><a href="<?= $url; ?>"<?= $value->seen == 0 ? ' class="unseen"' : ''; ?>><?= $value->from; ?></a>
-            <td><a href="<?= $url; ?>"<?= $value->seen == 0 ? ' class="unseen"' : ''; ?>><?= (new \DateTime($value->date))->format('Y-m-d H:i:s'); ?></a>
+            <td><a href="<?= $url; ?>"<?= htmlspecialchars($value->seen == 0 ? ' class="unseen"' : '', ENT_COMPAT, 'utf-8'); ?>></a>
+            <td><a href="<?= $url; ?>"<?= htmlspecialchars($value->seen == 0 ? ' class="unseen"' : '', ENT_COMPAT, 'utf-8'); ?>><?= htmlspecialchars(str_replace('_',' ', mb_decode_mimeheader($value->subject)), ENT_COMPAT, 'utf-8'); ?></a>
+            <td><a href="<?= $url; ?>"<?= htmlspecialchars($value->seen == 0 ? ' class="unseen"' : '', ENT_COMPAT, 'utf-8'); ?>><?= htmlspecialchars($value->from, ENT_COMPAT, 'utf-8'); ?></a>
+            <td><a href="<?= $url; ?>"<?= htmlspecialchars($value->seen == 0 ? ' class="unseen"' : '', ENT_COMPAT, 'utf-8'); ?>><?= htmlspecialchars((new \DateTime($value->date))->format('Y-m-d H:i:s'), ENT_COMPAT, 'utf-8'); ?></a>
                 <?php endforeach; ?>
                 <?php if($count < 1) : ?>
         <tr>
-            <td colspan="5" class="empty"><?= $this->getText('Empty', 0, 0); ?>
+            <td colspan="5" class="empty"><?= $this->getHtml('Empty', 0, 0); ?>
                 <?php endif; ?>
     </table>
 </div>
diff --git a/Theme/Backend/mail-trash-view.tpl.php b/Theme/Backend/mail-trash-view.tpl.php
index 4e5664a..c6f8b3d 100644
--- a/Theme/Backend/mail-trash-view.tpl.php
+++ b/Theme/Backend/mail-trash-view.tpl.php
@@ -21,36 +21,36 @@ echo $this->getData('nav')->render(); ?>
 
 <section class="box w-100">
     <ul class="btns floatLeft">
-        <li><a href="<?= \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/backend/messages/mail/create'); ?>"><i class="fa fa-pencil"></i> <?{?}= $this->getText('Create', 0, 0); ?></a>
-        <li><a href=""><i class="fa fa-trash"></i> <?= $this->getText('Delete'); ?></a>
+        <li><a href="<?= \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/backend/messages/mail/create'); ?>"><i class="fa fa-pencil"></i> <?{?}= $this->getHtml('Create', 0, 0); ?></a>
+        <li><a href=""><i class="fa fa-trash"></i> <?= $this->getHtml('Delete') ?></a>
     </ul>
 </section>
 
 <div class="box w-100">
     <table class="table red">
-        <caption><?= $this->getText('Messages'); ?></caption>
+        <caption><?= $this->getHtml('Messages') ?></caption>
         <thead>
         <tr>
             <td><span class="check"><input type="checkbox"></span>
-            <td><?= $this->getText('Tag'); ?>
-            <td class="wf-100"><?= $this->getText('Subject'); ?>
-            <td><?= $this->getText('From'); ?>
-            <td><?= $this->getText('Date'); ?>
+            <td><?= $this->getHtml('Tag') ?>
+            <td class="wf-100"><?= $this->getHtml('Subject') ?>
+            <td><?= $this->getHtml('From') ?>
+            <td><?= $this->getHtml('Date') ?>
         <tfoot>
-        <tr><td colspan="5"><?= \phpOMS\Utils\Converter\File::kilobyteSizeToString($quota['usage']); ?> / <?= \phpOMS\Utils\Converter\File::kilobyteSizeToString($quota['limit']); ?>
+        <tr><td colspan="5"><?= htmlspecialchars(\phpOMS\Utils\Converter\File::kilobyteSizeToString($quota['usage']), ENT_COMPAT, 'utf-8'); ?> / <?= htmlspecialchars(\phpOMS\Utils\Converter\File::kilobyteSizeToString($quota['limit']), ENT_COMPAT, 'utf-8'); ?>
         <tbody>
         <?php $count = 0; foreach($sent as $key => $value) : $count++;
         $url = \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/backend/messages/mail/single?{?}&id=' . $value->uid); ?>
         <tr>
             <td><span class="check"><input type="checkbox"></span>
-            <td><a href="<?= $url; ?>"<?= $value->seen == 0 ? ' class="unseen"' : ''; ?>></a>
-            <td><a href="<?= $url; ?>"<?= $value->seen == 0 ? ' class="unseen"' : ''; ?>><?= str_replace('_',' ', mb_decode_mimeheader($value->subject)); ?></a>
-            <td><a href="<?= $url; ?>"<?= $value->seen == 0 ? ' class="unseen"' : ''; ?>><?= $value->from; ?></a>
-            <td><a href="<?= $url; ?>"<?= $value->seen == 0 ? ' class="unseen"' : ''; ?>><?= (new \DateTime($value->date))->format('Y-m-d H:i:s'); ?></a>
+            <td><a href="<?= $url; ?>"<?= htmlspecialchars($value->seen == 0 ? ' class="unseen"' : '', ENT_COMPAT, 'utf-8'); ?>></a>
+            <td><a href="<?= $url; ?>"<?= htmlspecialchars($value->seen == 0 ? ' class="unseen"' : '', ENT_COMPAT, 'utf-8'); ?>><?= htmlspecialchars(str_replace('_',' ', mb_decode_mimeheader($value->subject)), ENT_COMPAT, 'utf-8'); ?></a>
+            <td><a href="<?= $url; ?>"<?= htmlspecialchars($value->seen == 0 ? ' class="unseen"' : '', ENT_COMPAT, 'utf-8'); ?>><?= htmlspecialchars($value->from, ENT_COMPAT, 'utf-8'); ?></a>
+            <td><a href="<?= $url; ?>"<?= htmlspecialchars($value->seen == 0 ? ' class="unseen"' : '', ENT_COMPAT, 'utf-8'); ?>><?= htmlspecialchars((new \DateTime($value->date))->format('Y-m-d H:i:s'), ENT_COMPAT, 'utf-8'); ?></a>
                 <?php endforeach; ?>
                 <?php if($count < 1) : ?>
         <tr>
-            <td colspan="5" class="empty"><?= $this->getText('Empty', 0, 0); ?>
+            <td colspan="5" class="empty"><?= $this->getHtml('Empty', 0, 0); ?>
                 <?php endif; ?>
     </table>
 </div>
diff --git a/Theme/Backend/mail-view.tpl.php b/Theme/Backend/mail-view.tpl.php
index 0626908..c1c5334 100644
--- a/Theme/Backend/mail-view.tpl.php
+++ b/Theme/Backend/mail-view.tpl.php
@@ -19,8 +19,8 @@ $mails = $mail->getEmail($this->getData('id'));
 echo $this->getData('nav')->render(); ?>
 
 <section class="box w-100">
-    <header><h1><?= str_replace('_',' ', mb_decode_mimeheader($mails['overview'][0]->subject)); ?></h1></header>
+    <header><h1><?= htmlspecialchars(str_replace('_',' ', mb_decode_mimeheader($mails['overview'][0]->subject)), ENT_COMPAT, 'utf-8'); ?></h1></header>
     <div class="inner">
-        <?= $mail::decode($mails['body'], $mails['encoding']->encoding); ?>
+        <?= htmlspecialchars($mail::decode($mails['body'], $mails['encoding']->encoding), ENT_COMPAT, 'utf-8'); ?>
     </div>
 </section>
diff --git a/Theme/Backend/message-settings.tpl.php b/Theme/Backend/message-settings.tpl.php
index e011147..aa5b69e 100644
--- a/Theme/Backend/message-settings.tpl.php
+++ b/Theme/Backend/message-settings.tpl.php
@@ -19,46 +19,46 @@ $boxes = $mail->getBoxes();
 echo $this->getData('nav')->render(); ?>
 
 <section class="box w-33">
-    <header><h1><?= $this->getText('Mailboxes'); ?></h1></header>
+    <header><h1><?= $this->getHtml('Mailboxes') ?></h1></header>
     <div class="inner">
         <form>
             <table class="layout">
-                <tr><td><label for="iInbox"><?= $this->getText('Inbox'); ?></label>
+                <tr><td><label for="iInbox"><?= $this->getHtml('Inbox') ?></label>
                 <tr><td><select id="iInbox" name="inbox">
-                            <option value=""><?= $this->getText('Select'); ?>
+                            <option value=""><?= $this->getHtml('Select') ?>
                             <?php foreach($boxes as $box) : ?>
-                            <option value="<?= $box; ?>"><?= $box; ?>
+                            <option value="<?= htmlspecialchars($box, ENT_COMPAT, 'utf-8'); ?>"><?= htmlspecialchars($box, ENT_COMPAT, 'utf-8'); ?>
                             <?php endforeach; ?>
                         </select>
-                <tr><td><label for="iOutbox"><?= $this->getText('Outbox'); ?></label>
+                <tr><td><label for="iOutbox"><?= $this->getHtml('Outbox') ?></label>
                 <tr><td><select id="iOutbox" name="outbox">
-                            <option value=""><?= $this->getText('Select'); ?>
+                            <option value=""><?= $this->getHtml('Select') ?>
                             <?php foreach($boxes as $box) : ?>
-                            <option value="<?= $box; ?>"><?= $box; ?>
+                            <option value="<?= htmlspecialchars($box, ENT_COMPAT, 'utf-8'); ?>"><?= htmlspecialchars($box, ENT_COMPAT, 'utf-8'); ?>
                                 <?php endforeach; ?>
                         </select>
-                <tr><td><label for="iDraft"><?= $this->getText('Draft'); ?></label>
+                <tr><td><label for="iDraft"><?= $this->getHtml('Draft') ?></label>
                 <tr><td><select id="iDraft" name="draft">
-                            <option value=""><?= $this->getText('Select'); ?>
+                            <option value=""><?= $this->getHtml('Select') ?>
                             <?php foreach($boxes as $box) : ?>
-                            <option value="<?= $box; ?>"><?= $box; ?>
+                            <option value="<?= htmlspecialchars($box, ENT_COMPAT, 'utf-8'); ?>"><?= htmlspecialchars($box, ENT_COMPAT, 'utf-8'); ?>
                                 <?php endforeach; ?>
                         </select>
-                <tr><td><label for="iTrash"><?= $this->getText('Trash'); ?></label>
+                <tr><td><label for="iTrash"><?= $this->getHtml('Trash') ?></label>
                 <tr><td><select id="iTrash" name="trash">
-                            <option value=""><?= $this->getText('Select'); ?>
+                            <option value=""><?= $this->getHtml('Select') ?>
                             <?php foreach($boxes as $box) : ?>
-                            <option value="<?= $box; ?>"><?= $box; ?>
+                            <option value="<?= htmlspecialchars($box, ENT_COMPAT, 'utf-8'); ?>"><?= htmlspecialchars($box, ENT_COMPAT, 'utf-8'); ?>
                                 <?php endforeach; ?>
                         </select>
-                <tr><td><label for="iSpam"><?= $this->getText('Spam'); ?></label>
+                <tr><td><label for="iSpam"><?= $this->getHtml('Spam') ?></label>
                 <tr><td><select id="iSpam" name="spam">
-                            <option value=""><?= $this->getText('Select'); ?>
+                            <option value=""><?= $this->getHtml('Select') ?>
                             <?php foreach($boxes as $box) : ?>
-                            <option value="<?= $box; ?>"><?= $box; ?>
+                            <option value="<?= htmlspecialchars($box, ENT_COMPAT, 'utf-8'); ?>"><?= htmlspecialchars($box, ENT_COMPAT, 'utf-8'); ?>
                                 <?php endforeach; ?>
                         </select>
-                <tr><td><input type="submit" value="<?= $this->getText('Save'); ?>">
+                <tr><td><input type="submit" value="<?= $this->getHtml('Save') ?>">
             </table>
         </form>
     </div>