From 6da40780e66b7f5be3e560064ee6e2cc2b002460 Mon Sep 17 00:00:00 2001
From: Dennis Eichhorn <spl1nes.com@googlemail.com>
Date: Mon, 24 Jul 2017 20:48:22 +0200
Subject: [PATCH] Add html escaping

---
 Theme/Backend/rnd-create.tpl.php | 34 ++++++++++++++++----------------
 Theme/Backend/rnd-list.tpl.php   | 24 +++++++++++-----------
 2 files changed, 29 insertions(+), 29 deletions(-)
diff --git a/Theme/Backend/rnd-create.tpl.php b/Theme/Backend/rnd-create.tpl.php
index de401e1..d17cc00 100644
--- a/Theme/Backend/rnd-create.tpl.php
+++ b/Theme/Backend/rnd-create.tpl.php
@@ -15,35 +15,35 @@
 echo $this->getData('nav')->render(); ?>
 
 <section class="box w-50">
-    <header><h1><?= $this->getText('Project'); ?></h1></header>
+    <header><h1><?= $this->getHtml('Project') ?></h1></header>
     <div class="inner">
         <form>
             <table class="layout wf-100">
-                <tr><td colspan="3"><label for="iName"><?= $this->getText('Name'); ?></label>
+                <tr><td colspan="3"><label for="iName"><?= $this->getHtml('Name') ?></label>
                 <tr><td colspan="2"><input type="text" id="iName" name="name" placeholder=""><td>
-                <tr><td colspan="3"><label for="iDescription"><?= $this->getText('Description'); ?></label>
+                <tr><td colspan="3"><label for="iDescription"><?= $this->getHtml('Description') ?></label>
                 <tr><td colspan="2"><textarea id="iDescription" name="description"></textarea><td>
-                <tr><td colspan="3"><label for="iStatus"><?= $this->getText('Status'); ?></label>
+                <tr><td colspan="3"><label for="iStatus"><?= $this->getHtml('Status') ?></label>
                 <tr><td colspan="2"><select id="iStatus" name="status">
-                            <option value="<?= \Modules\ProjectManagement\Models\ProjectStatus::ACTIVE ?>"><?= $this->getText('Active'); ?>
-                            <option value="<?= \Modules\ProjectManagement\Models\ProjectStatus::INACTIVE ?>"><?= $this->getText('Inactive'); ?>
-                            <option value="<?= \Modules\ProjectManagement\Models\ProjectStatus::FINISHED ?>"><?= $this->getText('Finished'); ?>
-                            <option value="<?= \Modules\ProjectManagement\Models\ProjectStatus::CANCELED ?>"><?= $this->getText('Canceled'); ?>
-                            <option value="<?= \Modules\ProjectManagement\Models\ProjectStatus::HOLD ?>"><?= $this->getText('Hold'); ?>
+                            <option value="<?= htmlspecialchars(\Modules\ProjectManagement\Models\ProjectStatus::ACTIVE , ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('Active') ?>
+                            <option value="<?= htmlspecialchars(\Modules\ProjectManagement\Models\ProjectStatus::INACTIVE , ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('Inactive') ?>
+                            <option value="<?= htmlspecialchars(\Modules\ProjectManagement\Models\ProjectStatus::FINISHED , ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('Finished') ?>
+                            <option value="<?= htmlspecialchars(\Modules\ProjectManagement\Models\ProjectStatus::CANCELED , ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('Canceled') ?>
+                            <option value="<?= htmlspecialchars(\Modules\ProjectManagement\Models\ProjectStatus::HOLD , ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('Hold') ?>
                         </select><td>
-                <tr><td colspan="3"><label for="iFiles"><?= $this->getText('Files'); ?></label>
+                <tr><td colspan="3"><label for="iFiles"><?= $this->getHtml('Files') ?></label>
                 <tr><td colspan="2"><input type="file" id="iFiles" name="file" multiple><td>
-                <tr><td colspan="3"><label for="iBudget"><?= $this->getText('Budget'); ?></label>
+                <tr><td colspan="3"><label for="iBudget"><?= $this->getHtml('Budget') ?></label>
                 <tr><td colspan="2"><input type="text" id="iBudget" name="budget" placeholder=""><td>
-                <tr><td><label for="iDue"><?= $this->getText('Start'); ?></label><td><label for="iDue"><?= $this->getText('Due'); ?></label><td>
+                <tr><td><label for="iDue"><?= $this->getHtml('Start') ?></label><td><label for="iDue"><?= $this->getHtml('Due') ?></label><td>
                 <tr><td><input type="datetime-local" id="iDue" name="due"><td><input type="datetime-local" id="iDue" name="due"><td>
-                <tr><td><label for="iResponsibility"><?= $this->getText('Responsibility'); ?></label><td><label for="iUser"><?= $this->getText('UserGroup'); ?></label><td>
+                <tr><td><label for="iResponsibility"><?= $this->getHtml('Responsibility') ?></label><td><label for="iUser"><?= $this->getHtml('UserGroup') ?></label><td>
                 <tr><td><select id="iStatus" name="status">
-                            <option value="<?= \Modules\ProjectManagement\Models\ProjectResponsibility::MANAGER ?>"><?= $this->getText('Manager'); ?>
-                            <option value="<?= \Modules\ProjectManagement\Models\ProjectResponsibility::OTHER ?>"><?= $this->getText('Other'); ?>
+                            <option value="<?= htmlspecialchars(\Modules\ProjectManagement\Models\ProjectResponsibility::MANAGER , ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('Manager') ?>
+                            <option value="<?= htmlspecialchars(\Modules\ProjectManagement\Models\ProjectResponsibility::OTHER , ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('Other') ?>
                         </select>
-                    <td><input type="text" id="iUser" name="user" placeholder=""><td><button><?= $this->getText('Add', 0, 0); ?></button>
-                <tr><td colspan="3"><input type="submit" value="<?= $this->getText('Create', 0, 0); ?>">
+                    <td><input type="text" id="iUser" name="user" placeholder=""><td><button><?= $this->getHtml('Add', 0, 0); ?></button>
+                <tr><td colspan="3"><input type="submit" value="<?= $this->getHtml('Create', 0, 0); ?>">
             </table>
         </form>
     </div>
diff --git a/Theme/Backend/rnd-list.tpl.php b/Theme/Backend/rnd-list.tpl.php
index 8a52fbf..116f5b5 100644
--- a/Theme/Backend/rnd-list.tpl.php
+++ b/Theme/Backend/rnd-list.tpl.php
@@ -29,28 +29,28 @@ echo $this->getData('nav')->render(); ?>
     <div class="col-xs-12">
         <div class="box wf-100">
             <table class="table red">
-                <caption><?= $this->getText('Projects'); ?></caption>
+                <caption><?= $this->getHtml('Projects') ?></caption>
                 <thead>
                 <tr>
-                    <td><?= $this->getText('ID', 0, 0); ?>
-                    <td><?= $this->getText('Status'); ?>
-                    <td class="wf-100"><?= $this->getText('Name'); ?>
-                    <td><?= $this->getText('Creator'); ?>
-                    <td><?= $this->getText('Created'); ?>
+                    <td><?= $this->getHtml('ID', 0, 0); ?>
+                    <td><?= $this->getHtml('Status') ?>
+                    <td class="wf-100"><?= $this->getHtml('Name') ?>
+                    <td><?= $this->getHtml('Creator') ?>
+                    <td><?= $this->getHtml('Created') ?>
                 <tfoot>
-                <tr><td colspan="5"><?= $footerView->render(); ?>
+                <tr><td colspan="5"><?= htmlspecialchars($footerView->render(), ENT_COMPAT, 'utf-8'); ?>
                 <tbody>
                 <?php $c = 0; foreach ([] as $key => $value) : $c++;
                 $url = \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/backend/checklist/single?{?}&id=' . $value->getId()); ?>
                 <tr>
-                    <td><a href="<?= $url; ?>"><?= $value->getId(); ?></a>
-                    <td><a href="<?= $url; ?>"><?= $value->getName(); ?></a>
-                    <td><a href="<?= $url; ?>"><?= $value->getParent(); ?></a>
-                    <td><a href="<?= $url; ?>"><?= $value->getUnit(); ?></a>
+                    <td><a href="<?= $url; ?>"><?= htmlspecialchars($value->getId(), ENT_COMPAT, 'utf-8'); ?></a>
+                    <td><a href="<?= $url; ?>"><?= htmlspecialchars($value->getName(), ENT_COMPAT, 'utf-8'); ?></a>
+                    <td><a href="<?= $url; ?>"><?= htmlspecialchars($value->getParent(), ENT_COMPAT, 'utf-8'); ?></a>
+                    <td><a href="<?= $url; ?>"><?= htmlspecialchars($value->getUnit(), ENT_COMPAT, 'utf-8'); ?></a>
                         <?php endforeach; ?>
                         <?php if($c === 0) : ?>
                 <tr>
-                    <td colspan="5" class="empty"><?= $this->getText('Empty', 0, 0); ?>
+                    <td colspan="5" class="empty"><?= $this->getHtml('Empty', 0, 0); ?>
                         <?php endif; ?>
             </table>
         </div>

getText('ID', 0, 0); ?> -	getText('Status'); ?> -	getText('Name'); ?> -	getText('Creator'); ?> -	getText('Created'); ?> +	getHtml('ID', 0, 0); ?> +	getHtml('Status') ?> +	getHtml('Name') ?> +	getHtml('Creator') ?> +	getHtml('Created') ?>
render(); ?> +
render(), ENT_COMPAT, 'utf-8'); ?>
getId(); ?> -	getName(); ?> -	getParent(); ?> -	getUnit(); ?> +	getId(), ENT_COMPAT, 'utf-8'); ?> +	getName(), ENT_COMPAT, 'utf-8'); ?> +	getParent(), ENT_COMPAT, 'utf-8'); ?> +	getUnit(), ENT_COMPAT, 'utf-8'); ?>
getText('Empty', 0, 0); ?> +					getHtml('Empty', 0, 0); ?>