From e80d7230fb65f693b2a6c43076a34d1a4a51cb8a Mon Sep 17 00:00:00 2001
From: Dennis Eichhorn <spl1nes.com@googlemail.com>
Date: Mon, 24 Jul 2017 20:48:22 +0200
Subject: [PATCH] Add html escaping

---
 .../Backend/projectmanagement-create.tpl.php  | 34 +++++++++---------
 Theme/Backend/projectmanagement-list.tpl.php  | 18 +++++-----
 .../Backend/projectmanagement-profile.tpl.php | 36 +++++++++----------
 3 files changed, 44 insertions(+), 44 deletions(-)
diff --git a/Theme/Backend/projectmanagement-create.tpl.php b/Theme/Backend/projectmanagement-create.tpl.php
index 4d08893..57b95cc 100644
--- a/Theme/Backend/projectmanagement-create.tpl.php
+++ b/Theme/Backend/projectmanagement-create.tpl.php
@@ -18,35 +18,35 @@ echo $this->getData('nav')->render(); ?>
 <div class="row">
     <div class="col-xs-12 col-md-6">
         <section class="box wf-100">
-            <header><h1><?= $this->getText('Project'); ?></h1></header>
+            <header><h1><?= $this->getHtml('Project') ?></h1></header>
             <div class="inner">
                 <form>
                     <table class="layout wf-100">
-                        <tr><td colspan="3"><label for="iName"><?= $this->getText('Name'); ?></label>
+                        <tr><td colspan="3"><label for="iName"><?= $this->getHtml('Name') ?></label>
                         <tr><td colspan="2"><input type="text" id="iName" name="name" placeholder="" required><td>
-                        <tr><td colspan="3"><label for="iDescription"><?= $this->getText('Description'); ?></label>
+                        <tr><td colspan="3"><label for="iDescription"><?= $this->getHtml('Description') ?></label>
                         <tr><td colspan="2"><textarea id="iDescription" name="description"></textarea><td>
-                        <tr><td colspan="3"><label for="iStatus"><?= $this->getText('Status'); ?></label>
+                        <tr><td colspan="3"><label for="iStatus"><?= $this->getHtml('Status') ?></label>
                         <tr><td colspan="2"><select id="iStatus" name="status">
-                                    <option value="<?= \Modules\ProjectManagement\Models\ProjectStatus::ACTIVE ?>"><?= $this->getText('Active'); ?>
-                                    <option value="<?= \Modules\ProjectManagement\Models\ProjectStatus::INACTIVE ?>"><?= $this->getText('Inactive'); ?>
-                                    <option value="<?= \Modules\ProjectManagement\Models\ProjectStatus::FINISHED ?>"><?= $this->getText('Finished'); ?>
-                                    <option value="<?= \Modules\ProjectManagement\Models\ProjectStatus::CANCELED ?>"><?= $this->getText('Canceled'); ?>
-                                    <option value="<?= \Modules\ProjectManagement\Models\ProjectStatus::HOLD ?>"><?= $this->getText('Hold'); ?>
+                                    <option value="<?= htmlspecialchars(\Modules\ProjectManagement\Models\ProjectStatus::ACTIVE , ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('Active') ?>
+                                    <option value="<?= htmlspecialchars(\Modules\ProjectManagement\Models\ProjectStatus::INACTIVE , ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('Inactive') ?>
+                                    <option value="<?= htmlspecialchars(\Modules\ProjectManagement\Models\ProjectStatus::FINISHED , ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('Finished') ?>
+                                    <option value="<?= htmlspecialchars(\Modules\ProjectManagement\Models\ProjectStatus::CANCELED , ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('Canceled') ?>
+                                    <option value="<?= htmlspecialchars(\Modules\ProjectManagement\Models\ProjectStatus::HOLD , ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('Hold') ?>
                                 </select><td>
-                        <tr><td colspan="3"><label for="iFiles"><?= $this->getText('Files'); ?></label>
+                        <tr><td colspan="3"><label for="iFiles"><?= $this->getHtml('Files') ?></label>
                         <tr><td colspan="2"><input type="file" id="iFiles" name="file" multiple><td>
-                        <tr><td colspan="3"><label for="iBudget"><?= $this->getText('Budget'); ?></label>
+                        <tr><td colspan="3"><label for="iBudget"><?= $this->getHtml('Budget') ?></label>
                         <tr><td colspan="2"><input type="text" id="iBudget" name="budget" placeholder=""><td>
-                        <tr><td><label for="iDue"><?= $this->getText('Start'); ?></label><td><label for="iDue"><?= $this->getText('Due'); ?></label><td>
+                        <tr><td><label for="iDue"><?= $this->getHtml('Start') ?></label><td><label for="iDue"><?= $this->getHtml('Due') ?></label><td>
                         <tr><td><input type="datetime-local" id="iDue" name="due"><td><input type="datetime-local" id="iDue" name="due"><td>
-                        <tr><td><label for="iResponsibility"><?= $this->getText('Responsibility'); ?></label><td><label for="iUser"><?= $this->getText('UserGroup'); ?></label><td>
+                        <tr><td><label for="iResponsibility"><?= $this->getHtml('Responsibility') ?></label><td><label for="iUser"><?= $this->getHtml('UserGroup') ?></label><td>
                         <tr><td><select id="iStatus" name="status">
-                                    <option value="<?= \Modules\ProjectManagement\Models\ProjectResponsibility::MANAGER ?>"><?= $this->getText('Manager'); ?>
-                                    <option value="<?= \Modules\ProjectManagement\Models\ProjectResponsibility::OTHER ?>"><?= $this->getText('Other'); ?>
+                                    <option value="<?= htmlspecialchars(\Modules\ProjectManagement\Models\ProjectResponsibility::MANAGER , ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('Manager') ?>
+                                    <option value="<?= htmlspecialchars(\Modules\ProjectManagement\Models\ProjectResponsibility::OTHER , ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('Other') ?>
                                 </select>
-                            <td><span class="input"><button type="button" formaction=""><i class="fa fa-book"></i></button><input type="text" id="iUser" name="user" placeholder=""></span><td><button><?= $this->getText('Add', 0, 0); ?></button>
-                        <tr><td colspan="3"><input type="submit" value="<?= $this->getText('Create', 0, 0); ?>">
+                            <td><span class="input"><button type="button" formaction=""><i class="fa fa-book"></i></button><input type="text" id="iUser" name="user" placeholder=""></span><td><button><?= $this->getHtml('Add', 0, 0); ?></button>
+                        <tr><td colspan="3"><input type="submit" value="<?= $this->getHtml('Create', 0, 0); ?>">
                     </table>
                 </form>
             </div>
diff --git a/Theme/Backend/projectmanagement-list.tpl.php b/Theme/Backend/projectmanagement-list.tpl.php
index 5e3052b..0d2571b 100644
--- a/Theme/Backend/projectmanagement-list.tpl.php
+++ b/Theme/Backend/projectmanagement-list.tpl.php
@@ -26,25 +26,25 @@ echo $this->getData('nav')->render(); ?>
     <div class="col-xs-12">
         <div class="box wf-100">
             <table class="table red">
-                <caption><?= $this->getText('Projects') ?></caption>
+                <caption><?= $this->getHtml('Projects'); ?></caption>
                 <thead>
                 <tr>
-                    <td class="wf-100"><?= $this->getText('Title'); ?>
-                    <td><?= $this->getText('Start'); ?>
-                    <td><?= $this->getText('Due'); ?>
+                    <td class="wf-100"><?= $this->getHtml('Title') ?>
+                    <td><?= $this->getHtml('Start') ?>
+                    <td><?= $this->getHtml('Due') ?>
                 <tfoot>
                 <tr>
-                    <td colspan="5"><?= $footerView->render(); ?>
+                    <td colspan="5"><?= htmlspecialchars($footerView->render(), ENT_COMPAT, 'utf-8'); ?>
                 <tbody>
                 <?php $count = 0; foreach($list as $key => $value) : $count++; 
                 $url = \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/backend/projectmanagement/profile?{?}&id=' . $value->getId());?>
                 <tr>
-                    <td><a href="<?= $url; ?>"><?= $value->getName(); ?></a>
-                    <td><a href="<?= $url; ?>"><?= $value->getStart()->format('Y-m-d'); ?></a>
-                    <td><a href="<?= $url; ?>"><?= $value->getEnd()->format('Y-m-d'); ?></a>
+                    <td><a href="<?= $url; ?>"><?= htmlspecialchars($value->getName(), ENT_COMPAT, 'utf-8'); ?></a>
+                    <td><a href="<?= $url; ?>"><?= htmlspecialchars($value->getStart()->format('Y-m-d'), ENT_COMPAT, 'utf-8'); ?></a>
+                    <td><a href="<?= $url; ?>"><?= htmlspecialchars($value->getEnd()->format('Y-m-d'), ENT_COMPAT, 'utf-8'); ?></a>
                 <?php endforeach; ?>
                 <?php if($count === 0) : ?>
-                <tr><td colspan="5" class="empty"><?= $this->getText('Empty', 0, 0); ?>
+                <tr><td colspan="5" class="empty"><?= $this->getHtml('Empty', 0, 0); ?>
                         <?php endif; ?>
             </table>
         </div>
diff --git a/Theme/Backend/projectmanagement-profile.tpl.php b/Theme/Backend/projectmanagement-profile.tpl.php
index e00f1bd..70f78ae 100644
--- a/Theme/Backend/projectmanagement-profile.tpl.php
+++ b/Theme/Backend/projectmanagement-profile.tpl.php
@@ -20,20 +20,20 @@ echo $this->getData('nav')->render(); ?>
 <div class="row">
     <div class="col-xs-12 col-md-6">
         <section class="box wf-100">
-            <header><h1><?= $project->getName(); ?></h1></header>
+            <header><h1><?= htmlspecialchars($project->getName(), ENT_COMPAT, 'utf-8'); ?></h1></header>
             <div class="inner">
                 <form id="fProject" method="POST" action="<?= \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/api/projectmanagement?{?}&csrf={$CSRF}'); ?>">
                     <table class="layout wf-100">
                         <tbody>
-                        <tr><td colspan="2"><label for="iName"><?= $this->getText('Name'); ?></label>
-                        <tr><td colspan="2"><input type="text" id="iName" name="name" placeholder="&#xf007; Name" value="<?= $project->getName(); ?>" required>
-                        <tr><td><label for="iStart"><?= $this->getText('Start'); ?></label>
-                            <td><label for="iEnd"><?= $this->getText('End'); ?></label>
-                        <tr><td><input type="datetime-local" id="iStart" name="start" value="<?= $project->getStart()->format('Y-m-d\TH:i:s'); ?>">
-                            <td><input type="datetime-local" id="iEnd" name="end" value="<?= $project->getEnd()->format('Y-m-d\TH:i:s'); ?>">
-                        <tr><td colspan="2"><label for="iDescription"><?= $this->getText('Description'); ?></label>
-                        <tr><td colspan="2"><textarea id="iDescription" name="desc"><?= $project->getDescription(); ?></textarea>
-                        <tr><td colspan="2"><input type="submit" value="<?= $this->getText('Save', 0, 0); ?>">
+                        <tr><td colspan="2"><label for="iName"><?= $this->getHtml('Name') ?></label>
+                        <tr><td colspan="2"><input type="text" id="iName" name="name" placeholder="&#xf007; Name" value="<?= htmlspecialchars($project->getName(), ENT_COMPAT, 'utf-8'); ?>" required>
+                        <tr><td><label for="iStart"><?= $this->getHtml('Start') ?></label>
+                            <td><label for="iEnd"><?= $this->getHtml('End') ?></label>
+                        <tr><td><input type="datetime-local" id="iStart" name="start" value="<?= htmlspecialchars($project->getStart()->format('Y-m-d\TH:i:s'), ENT_COMPAT, 'utf-8'); ?>">
+                            <td><input type="datetime-local" id="iEnd" name="end" value="<?= htmlspecialchars($project->getEnd()->format('Y-m-d\TH:i:s'), ENT_COMPAT, 'utf-8'); ?>">
+                        <tr><td colspan="2"><label for="iDescription"><?= $this->getHtml('Description') ?></label>
+                        <tr><td colspan="2"><textarea id="iDescription" name="desc"><?= htmlspecialchars($project->getDescription(), ENT_COMPAT, 'utf-8'); ?></textarea>
+                        <tr><td colspan="2"><input type="submit" value="<?= $this->getHtml('Save', 0, 0); ?>">
                     </table>
                 </form>
             </div>
@@ -43,11 +43,11 @@ echo $this->getData('nav')->render(); ?>
     <div class="col-xs-12 col-md-6">
         <div class="box wf-100">
             <table class="table red">
-                <caption><?= $this->getText('Tasks', 'Tasks'); ?></caption>
+                <caption><?= $this->getHtml('Tasks', 'Tasks') ?></caption>
                 <thead>
-                    <td><?= $this->getText('Status'); ?>
-                    <td><?= $this->getText('Due', 'Tasks'); ?>
-                    <td class="full"><?= $this->getText('Title'); ?>
+                    <td><?= $this->getHtml('Status') ?>
+                    <td><?= $this->getHtml('Due', 'Tasks') ?>
+                    <td class="full"><?= $this->getHtml('Title') ?>
                 <tfoot>
                 <tbody>
                 <?php $c = 0; foreach($tasks as $key => $task) : $c++;
@@ -59,11 +59,11 @@ echo $this->getData('nav')->render(); ?>
                 elseif($task->getStatus() === \Modules\Tasks\Models\TaskStatus::CANCELED) { $color = 'red'; }
                 elseif($task->getStatus() === \Modules\Tasks\Models\TaskStatus::SUSPENDED) { $color = 'yellow'; } ;?>
                     <tr>
-                        <td><a href="<?= $url; ?>"><span class="tag <?= $color; ?>"><?= $this->getText('S' . $task->getStatus(), 'Tasks'); ?></span></a>
-                        <td><a href="<?= $url; ?>"><?= $task->getDue()->format('Y-m-d H:i'); ?></a>
-                        <td><a href="<?= $url; ?>"><?= $task->getTitle(); ?></a>
+                        <td><a href="<?= $url; ?>"><span class="tag <?= htmlspecialchars($color, ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('S' . $task->getStatus(), 'Tasks') ?></span></a>
+                        <td><a href="<?= $url; ?>"><?= htmlspecialchars($task->getDue()->format('Y-m-d H:i'), ENT_COMPAT, 'utf-8'); ?></a>
+                        <td><a href="<?= $url; ?>"><?= htmlspecialchars($task->getTitle(), ENT_COMPAT, 'utf-8'); ?></a>
                 <?php endforeach; if($c == 0) : ?>
-                <tr><td colspan="6" class="empty"><?= $this->getText('Empty', 0, 0); ?>
+                <tr><td colspan="6" class="empty"><?= $this->getHtml('Empty', 0, 0); ?>
                 <?php endif; ?>
             </table>
         </div>

getText('Title'); ?> -	getText('Start'); ?> -	getText('Due'); ?> +	getHtml('Title') ?> +	getHtml('Start') ?> +	getHtml('Due') ?>
render(); ?> +					render(), ENT_COMPAT, 'utf-8'); ?>
getName(); ?> -	getStart()->format('Y-m-d'); ?> -	getEnd()->format('Y-m-d'); ?> +	getName(), ENT_COMPAT, 'utf-8'); ?> +	getStart()->format('Y-m-d'), ENT_COMPAT, 'utf-8'); ?> +	getEnd()->format('Y-m-d'), ENT_COMPAT, 'utf-8'); ?> -
getText('Empty', 0, 0); ?> +
getHtml('Empty', 0, 0); ?>
getText('Status'); ?> -	getText('Due', 'Tasks'); ?> -	getText('Title'); ?> +	getHtml('Status') ?> +	getHtml('Due', 'Tasks') ?> +	getHtml('Title') ?>
getText('S' . $task->getStatus(), 'Tasks'); ?> -	getDue()->format('Y-m-d H:i'); ?> -	getTitle(); ?> +	getHtml('S' . $task->getStatus(), 'Tasks') ?> +	getDue()->format('Y-m-d H:i'), ENT_COMPAT, 'utf-8'); ?> +	getTitle(), ENT_COMPAT, 'utf-8'); ?> -
getText('Empty', 0, 0); ?> +
getHtml('Empty', 0, 0); ?>