From 36ae3b24700a5951ef1c93faa2a6020b069ee371 Mon Sep 17 00:00:00 2001
From: Dennis Eichhorn <spl1nes.com@googlemail.com>
Date: Mon, 24 Jul 2017 20:48:22 +0200
Subject: [PATCH] Add html escaping

---
 .../AccountGroupSelector/base.tpl.php         | 18 +++----
 .../AccountGroupSelector/popup.tpl.php        | 10 ++--
 Theme/Backend/profile-list.tpl.php            | 18 +++----
 Theme/Backend/profile-single.tpl.php          | 52 +++++++++----------
 4 files changed, 49 insertions(+), 49 deletions(-)

diff --git a/Theme/Backend/Components/AccountGroupSelector/base.tpl.php b/Theme/Backend/Components/AccountGroupSelector/base.tpl.php
index 7a0d2ac..f607d36 100644
--- a/Theme/Backend/Components/AccountGroupSelector/base.tpl.php
+++ b/Theme/Backend/Components/AccountGroupSelector/base.tpl.php
@@ -10,26 +10,26 @@
         ]
     }
 ]' formaction=""><i class="fa fa-book"></i></button>
-<input type="text" list="<?= $this->getId(); ?>-datalist" id="<?= $this->getId(); ?>" name="receiver" placeholder="&#xf007; Guest" data-action='[
+<input type="text" list="<?= htmlspecialchars($this->getId(), ENT_COMPAT, 'utf-8'); ?>-datalist" id="<?= htmlspecialchars($this->getId(), ENT_COMPAT, 'utf-8'); ?>" name="receiver" placeholder="&#xf007; Guest" data-action='[
     {
         "key": 1, "listener": "keyup", "action": [
             {"key": 1, "type": "validate.keypress", "pressed": "!enter"},
-            {"key": 2, "type": "utils.timer", "id": "<?= $this->getId(); ?>", "delay": 500, "resets": true},
-            {"key": 3, "type": "dom.datalist.clear", "id": "<?= $this->getId(); ?>-datalist"},
-            {"key": 4, "type": "message.request", "uri": "{/base}/{/lang}/api/admin/find/account?search={#<?= $this->getId(); ?>}", "method": "GET", "request_type": "json"},
-            {"key": 5, "type": "dom.datalist.append", "id": "<?= $this->getId(); ?>-datalist", "value": "id", "text": "name"}
+            {"key": 2, "type": "utils.timer", "id": "<?= htmlspecialchars($this->getId(), ENT_COMPAT, 'utf-8'); ?>", "delay": 500, "resets": true},
+            {"key": 3, "type": "dom.datalist.clear", "id": "<?= htmlspecialchars($this->getId(), ENT_COMPAT, 'utf-8'); ?>-datalist"},
+            {"key": 4, "type": "message.request", "uri": "{/base}/{/lang}/api/admin/find/account?search={#<?= htmlspecialchars($this->getId(), ENT_COMPAT, 'utf-8'); ?>}", "method": "GET", "request_type": "json"},
+            {"key": 5, "type": "dom.datalist.append", "id": "<?= htmlspecialchars($this->getId(), ENT_COMPAT, 'utf-8'); ?>-datalist", "value": "id", "text": "name"}
         ]
     },
     {
         "key": 2, "listener": "keyup", "action" : [
             {"key": 1, "type": "validate.keypress", "pressed": "enter"},
-            {"key": 2, "type": "message.request", "uri": "{/base}/{/lang}/api/admin/find/account?search={#<?= $this->getId(); ?>}", "method": "GET", "request_type": "json"},
-            {"key": 3, "type": "dom.set", "id": "<?= $this->getId(); ?>-idlist" "data": ""}
+            {"key": 2, "type": "message.request", "uri": "{/base}/{/lang}/api/admin/find/account?search={#<?= htmlspecialchars($this->getId(), ENT_COMPAT, 'utf-8'); ?>}", "method": "GET", "request_type": "json"},
+            {"key": 3, "type": "dom.set", "id": "<?= htmlspecialchars($this->getId(), ENT_COMPAT, 'utf-8'); ?>-idlist" "data": ""}
         ]
     }
 ]' required><!-- todo: handle keyup-enter -->
-<datalist id="<?= $this->getId(); ?>-datalist"></datalist>
-<input type="text" id="<?= $this->getId(); ?>-list"></span>
+<datalist id="<?= htmlspecialchars($this->getId(), ENT_COMPAT, 'utf-8'); ?>-datalist"></datalist>
+<input type="text" id="<?= htmlspecialchars($this->getId(), ENT_COMPAT, 'utf-8'); ?>-list"></span>
 <!--
 <ul class="select" data-action='[
     {
diff --git a/Theme/Backend/Components/AccountGroupSelector/popup.tpl.php b/Theme/Backend/Components/AccountGroupSelector/popup.tpl.php
index 26cad0a..846f7b9 100644
--- a/Theme/Backend/Components/AccountGroupSelector/popup.tpl.php
+++ b/Theme/Backend/Components/AccountGroupSelector/popup.tpl.php
@@ -1,13 +1,13 @@
 <template id="acc-grp-tpl">
     <section id="acc-grp" class="box w-50" style="z-index: 9; position: absolute; margin: 0 auto; left: 50%; top: 50%; transform: translate(-50%, -50%);">
-        <header><h1><?= $this->getText('Account/Group', 'Admin'); ?></h1></header>
+        <header><h1><?= $this->getHtml('Account/Group', 'Admin') ?></h1></header>
 
         <div class="inner">
         <div class="tabular-2">
             <div class="box wf-100">
                 <ul class="tab-links">
-                    <li><label for="c-tab-1"><?= $this->getText('Account', 'Admin'); ?></label>
-                    <li><label for="c-tab-2"><?= $this->getText('Group', 'Admin'); ?></label>
+                    <li><label for="c-tab-1"><?= $this->getHtml('Account', 'Admin') ?></label>
+                    <li><label for="c-tab-2"><?= $this->getHtml('Group', 'Admin') ?></label>
                 </ul>
             </div>
             <div class="tab-content">
@@ -46,7 +46,7 @@
                                             {"key": 1, "type": "dom.remove", "tpl": "acc-grp", "aniOut": "fadeOut"}
                                         ]
                                     }
-                                ]'><?= $this->getText('Close', 'Admin'); ?></button>
+                                ]'><?= $this->getHtml('Close', 'Admin') ?></button>
                         </table>
                     </form>
                 </div>
@@ -82,7 +82,7 @@
                                             {"key": 1, "type": "dom.remove", "tpl": "acc-grp", "aniOut": "fadeOut"}
                                         ]
                                     }
-                                ]'><?= $this->getText('Close', 'Admin'); ?></button>
+                                ]'><?= $this->getHtml('Close', 'Admin') ?></button>
                         </table>
                     </form>
                 </div>
diff --git a/Theme/Backend/profile-list.tpl.php b/Theme/Backend/profile-list.tpl.php
index ee8fae1..5025a68 100644
--- a/Theme/Backend/profile-list.tpl.php
+++ b/Theme/Backend/profile-list.tpl.php
@@ -28,25 +28,25 @@ $accounts = $this->getData('accounts');
     <div class="col-xs-12">
         <div class="box wf-100">
             <table class="table red">
-                <caption><?= $this->getText('Profiles'); ?></caption>
+                <caption><?= $this->getHtml('Profiles') ?></caption>
                 <thead>
                 <tr>
-                    <td><?= $this->getText('ID', 0, 0); ?>
-                    <td class="wf-100"><?= $this->getText('Name'); ?>
-                    <td><?= $this->getText('Activity'); ?>
+                    <td><?= $this->getHtml('ID', 0, 0); ?>
+                    <td class="wf-100"><?= $this->getHtml('Name') ?>
+                    <td><?= $this->getHtml('Activity') ?>
                 <tfoot>
                 <tr>
-                    <td colspan="3"><?= $footerView->render(); ?>
+                    <td colspan="3"><?= htmlspecialchars($footerView->render(), ENT_COMPAT, 'utf-8'); ?>
                 <tbody>
                 <?php $count = 0; foreach($accounts as $key => $account) : $count++;
                 $url = \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/backend/profile/single?{?}&id=' . $account->getId()); ?>
                     <tr data-href="<?= $url; ?>">
-                        <td><a href="<?= $url; ?>"><?= $account->getId(); ?></a>
-                        <td><a href="<?= $url; ?>"><?= $account->getName3() . ' ' . $account->getName2() . ' ' . $account->getName1(); ?></a>
-                        <td><a href="<?= $url; ?>"><?= $account->getLastActive()->format('Y-m-d'); ?></a>
+                        <td><a href="<?= $url; ?>"><?= htmlspecialchars($account->getId(), ENT_COMPAT, 'utf-8'); ?></a>
+                        <td><a href="<?= $url; ?>"><?= htmlspecialchars($account->getName3() . ' ' . $account->getName2() . ' ' . $account->getName1(), ENT_COMPAT, 'utf-8'); ?></a>
+                        <td><a href="<?= $url; ?>"><?= htmlspecialchars($account->getLastActive()->format('Y-m-d'), ENT_COMPAT, 'utf-8'); ?></a>
                 <?php endforeach; ?>
                 <?php if($count === 0) : ?>
-                <tr><td colspan="3" class="empty"><?= $this->getText('Empty', 0, 0); ?>
+                <tr><td colspan="3" class="empty"><?= $this->getHtml('Empty', 0, 0); ?>
                 <?php endif; ?>
             </table>
         </div>
diff --git a/Theme/Backend/profile-single.tpl.php b/Theme/Backend/profile-single.tpl.php
index 0cd6b00..da2a2fa 100644
--- a/Theme/Backend/profile-single.tpl.php
+++ b/Theme/Backend/profile-single.tpl.php
@@ -30,25 +30,25 @@ echo $this->getData('nav')->render();
 <div class="row">
     <div class="col-xs-12 col-md-6">
         <section itemscope itemtype="http://schema.org/Person" class="box wf-100">
-            <header><h1><?= $this->getText('Profile'); ?></h1></header>
+            <header><h1><?= $this->getHtml('Profile') ?></h1></header>
             <div class="inner">
                 <!-- @formatter:off -->
                         <table class="list">
                             <tr>
-                                <th><?= $this->getText('Name'); ?>
-                                <td><span itemprop="familyName"><?= $account->getName3(); ?></span>, <span itemprop="givenName"><?= $account->getName1(); ?></span>
+                                <th><?= $this->getHtml('Name') ?>
+                                <td><span itemprop="familyName"><?= htmlspecialchars($account->getName3(), ENT_COMPAT, 'utf-8'); ?></span>, <span itemprop="givenName"><?= htmlspecialchars($account->getName1(), ENT_COMPAT, 'utf-8'); ?></span>
                             <tr>
-                                <th><?= $this->getText('Occupation'); ?>
+                                <th><?= $this->getHtml('Occupation') ?>
                                 <td itemprop="jobTitle">Sailor
                             <tr>
-                                <th><?= $this->getText('Birthday'); ?>
+                                <th><?= $this->getHtml('Birthday') ?>
                                 <td itemprop="birthDate">06.09.1934
                             <tr>
-                                <th><?= $this->getText('Ranks'); ?>
+                                <th><?= $this->getHtml('Ranks') ?>
                                 <td itemprop="memberOf">Gosling
                             <tr>
-                                <th><?= $this->getText('Email'); ?>
-                                <td itemprop="email"><a href="mailto:>donald.duck@email.com<"><?= $account->getEmail(); ?></a>
+                                <th><?= $this->getHtml('Email') ?>
+                                <td itemprop="email"><a href="mailto:>donald.duck@email.com<"><?= htmlspecialchars($account->getEmail(), ENT_COMPAT, 'utf-8'); ?></a>
                             <tr>
                                 <th>Address
                                 <td>
@@ -59,7 +59,7 @@ echo $this->getData('nav')->render();
                                 <th class="vT">Work
                                 <td itemprop="address">SMALLSYS INC<br>795 E DRAGRAM<br>TUCSON AZ 85705<br>USA
                             <tr>
-                                <th><?= $this->getText('Phone'); ?>
+                                <th><?= $this->getHtml('Phone') ?>
                                 <td>
                             <tr>
                                 <th>Private
@@ -71,14 +71,14 @@ echo $this->getData('nav')->render();
                                 <th>Work
                                 <td itemprop="telephone">+01 12345-4567
                             <tr>
-                                <th><?= $this->getText('Registered'); ?>
-                                <td><?= $account->getCreatedAt()->format('Y-m-d'); ?>
+                                <th><?= $this->getHtml('Registered') ?>
+                                <td><?= htmlspecialchars($account->getCreatedAt()->format('Y-m-d'), ENT_COMPAT, 'utf-8'); ?>
                             <tr>
-                                <th><?= $this->getText('LastLogin'); ?>
-                                <td><?= $account->getLastActive()->format('Y-m-d'); ?>
+                                <th><?= $this->getHtml('LastLogin') ?>
+                                <td><?= htmlspecialchars($account->getLastActive()->format('Y-m-d'), ENT_COMPAT, 'utf-8'); ?>
                             <tr>
-                                <th><?= $this->getText('Status'); ?>
-                                <td><span class="tag green"><?= $account->getStatus(); ?></span>
+                                <th><?= $this->getHtml('Status') ?>
+                                <td><span class="tag green"><?= htmlspecialchars($account->getStatus(), ENT_COMPAT, 'utf-8'); ?></span>
                         </table>
                         <!-- @formatter:on -->
             </div>
@@ -88,26 +88,26 @@ echo $this->getData('nav')->render();
     <div class="col-xs-12 col-md-6">
         <div class="box wf-100">
             <table class="table red">
-                <caption><?= $this->getText('Media', 'Media'); ?></caption>
+                <caption><?= $this->getHtml('Media', 'Media') ?></caption>
                 <thead>
                 <tr>
-                    <td><?= $this->getText('ID', 0, 0); ?>
-                    <td class="wf-100"><?= $this->getText('Name', 'Media'); ?>
-                    <td><?= $this->getText('Type', 'Media'); ?>
-                    <td><?= $this->getText('Created', 'Media'); ?>
+                    <td><?= $this->getHtml('ID', 0, 0); ?>
+                    <td class="wf-100"><?= $this->getHtml('Name', 'Media') ?>
+                    <td><?= $this->getHtml('Type', 'Media') ?>
+                    <td><?= $this->getHtml('Created', 'Media') ?>
                 <tfoot>
-                <tr><td colspan="4"><?= $footerView->render(); ?>
+                <tr><td colspan="4"><?= htmlspecialchars($footerView->render(), ENT_COMPAT, 'utf-8'); ?>
                 <tbody>
                 <?php $c = 0; foreach ([] as $key => $value) : $c++;
                     $url = \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/backend/admin/group/settings?{?}&id=' . $value->getId()); ?>
                     <tr>
-                        <td><a href="<?= $url; ?>"><?= $value->getId(); ?></a>
-                        <td><a href="<?= $url; ?>"><?= $value->getNewestHistory()->getPosition(); ?></a>
-                        <td><a href="<?= $url; ?>"><?= $value->getNewestHistory()->getPosition(); ?></a>
-                        <td><a href="<?= $url; ?>"><?= $value->getNewestStatus()->getStatus(); ?></a>
+                        <td><a href="<?= $url; ?>"><?= htmlspecialchars($value->getId(), ENT_COMPAT, 'utf-8'); ?></a>
+                        <td><a href="<?= $url; ?>"><?= htmlspecialchars($value->getNewestHistory()->getPosition(), ENT_COMPAT, 'utf-8'); ?></a>
+                        <td><a href="<?= $url; ?>"><?= htmlspecialchars($value->getNewestHistory()->getPosition(), ENT_COMPAT, 'utf-8'); ?></a>
+                        <td><a href="<?= $url; ?>"><?= htmlspecialchars($value->getNewestStatus()->getStatus(), ENT_COMPAT, 'utf-8'); ?></a>
                 <?php endforeach; ?>
                 <?php if($c === 0) : ?>
-                    <tr><td colspan="4" class="empty"><?= $this->getText('Empty', 0, 0); ?>
+                    <tr><td colspan="4" class="empty"><?= $this->getHtml('Empty', 0, 0); ?>
                 <?php endif; ?>
             </table>
         </div>