From afae8b100d448fae0d20ef3a85f3a69eead4cabf Mon Sep 17 00:00:00 2001
From: Dennis Eichhorn <spl1nes.com@googlemail.com>
Date: Mon, 24 Jul 2017 20:48:22 +0200
Subject: [PATCH] Add html escaping

---
 Theme/Backend/surveys-create.tpl.php | 40 ++++++++++++++--------------
 Theme/Backend/surveys-list.tpl.php   | 14 +++++-----
 2 files changed, 27 insertions(+), 27 deletions(-)

diff --git a/Theme/Backend/surveys-create.tpl.php b/Theme/Backend/surveys-create.tpl.php
index b2344e6..0c6d141 100644
--- a/Theme/Backend/surveys-create.tpl.php
+++ b/Theme/Backend/surveys-create.tpl.php
@@ -15,42 +15,42 @@
 echo $this->getData('nav')->render(); ?>
 
 <section class="box w-50 floatLeft">
-    <header><h1><?= $this->getText('Survey') ?></h1></header>
+    <header><h1><?= $this->getHtml('Survey'); ?></h1></header>
     <div class="inner">
         <form>
             <table class="layout wf-100">
-                <tr><td colspan="3"><label for="iName"><?= $this->getText('Name') ?><label>
+                <tr><td colspan="3"><label for="iName"><?= $this->getHtml('Name'); ?><label>
                 <tr><td colspan="2"><input type="text" id="iName" name="name" required><td>
-                <tr><td><label for="iStart"><?= $this->getText('Start') ?><label><td><label for="iEnd"><?= $this->getText('End') ?><label><td>
+                <tr><td><label for="iStart"><?= $this->getHtml('Start'); ?><label><td><label for="iEnd"><?= $this->getHtml('End'); ?><label><td>
                 <tr><td><input type="datetime-local" id="iStart" name="start" required><td><input type="datetime-local" id="iEnd" name="end" required><td>
-                <tr><td colspan="3"><label for="iDesc"><?= $this->getText('Description') ?><label>
+                <tr><td colspan="3"><label for="iDesc"><?= $this->getHtml('Description'); ?><label>
                 <tr><td colspan="2"><textarea id="iDesc" name="desc"></textarea><td>
-                <tr><td colspan="3"><span class="check"><input type="checkbox" id="iResult" name="result"><label for="iResult"><?= $this->getText('ResultPublic') ?><label></span>
-                <tr><td><label for="iResponsibility"><?= $this->getText('Responsibility') ?><label><td colspan="2"><label for="iPerm"><?= $this->getText('UserGroup') ?><label>
+                <tr><td colspan="3"><span class="check"><input type="checkbox" id="iResult" name="result"><label for="iResult"><?= $this->getHtml('ResultPublic'); ?><label></span>
+                <tr><td><label for="iResponsibility"><?= $this->getHtml('Responsibility'); ?><label><td colspan="2"><label for="iPerm"><?= $this->getHtml('UserGroup'); ?><label>
                 <tr><td><select id="iResponsibility" name="responsibility">
-                        <option value=""><?= $this->getText('Questionee') ?>
-                        <option value=""><?= $this->getText('Manager') ?>
-                    </select><td><span class="input"><button type="button" formaction=""><i class="fa fa-book"></i></button><input type="text" id="iPerm" name="permission"></span><td><button><?= $this->getText('Add', 0, 0) ?></button>
-                <tr><td colspan="3"><input type="submit" value="<?= $this->getText('Create', 0, 0); ?>">
+                        <option value=""><?= $this->getHtml('Questionee'); ?>
+                        <option value=""><?= $this->getHtml('Manager'); ?>
+                    </select><td><span class="input"><button type="button" formaction=""><i class="fa fa-book"></i></button><input type="text" id="iPerm" name="permission"></span><td><button><?= $this->getHtml('Add', 0, 0); ?></button>
+                <tr><td colspan="3"><input type="submit" value="<?= $this->getHtml('Create', 0, 0); ?>">
             </table>
         </form>
     </div>
 </section>
 
 <section class="box w-50 floatLeft">
-    <header><h1><?= $this->getText('Section') ?></h1></header>
+    <header><h1><?= $this->getHtml('Section'); ?></h1></header>
     <div class="inner">
         <form>
             <table class="layout wf-100">
-                <tr><td colspan="2"><label for="iSection"><?= $this->getText('Section') ?><label>
+                <tr><td colspan="2"><label for="iSection"><?= $this->getHtml('Section'); ?><label>
                 <tr><td colspan="2"><input type="text" id="iSection" name="section">
-                <tr><td colspan="2"><label for="iSDesc"><?= $this->getText('Description') ?><label>
+                <tr><td colspan="2"><label for="iSDesc"><?= $this->getHtml('Description'); ?><label>
                 <tr><td colspan="2"><textarea id="iSDesc" name="sdesc"></textarea>
-                <tr><td colspan="2"><label for="iSType"><?= $this->getText('Type') ?><label>
+                <tr><td colspan="2"><label for="iSType"><?= $this->getHtml('Type'); ?><label>
                 <tr><td colspan="2"><select id="iSType" name="stype">
                             <option>
                         </select>
-                <tr><td colspan="2"><input type="submit" value="<?= $this->getText('Add', 0, 0) ?>">
+                <tr><td colspan="2"><input type="submit" value="<?= $this->getHtml('Add', 0, 0); ?>">
             </table>
         </form>
     </div>
@@ -58,19 +58,19 @@ echo $this->getData('nav')->render(); ?>
 
 
 <section class="box w-50 floatLeft">
-    <header><h1><?= $this->getText('Question') ?></h1></header>
+    <header><h1><?= $this->getHtml('Question'); ?></h1></header>
     <div class="inner">
         <form>
             <table class="layout wf-100">
-                <tr><td colspan="2"><label for="iQuestion"><?= $this->getText('Question') ?><label>
+                <tr><td colspan="2"><label for="iQuestion"><?= $this->getHtml('Question'); ?><label>
                 <tr><td colspan="2"><input type="text" id="iQuestion" name="question">
-                <tr><td colspan="2"><label for="iQDesc"><?= $this->getText('Description') ?><label>
+                <tr><td colspan="2"><label for="iQDesc"><?= $this->getHtml('Description'); ?><label>
                 <tr><td colspan="2"><textarea id="iQDesc" name="qdesc"></textarea>
-                <tr><td colspan="2"><label for="iQSection"><?= $this->getText('Section') ?><label>
+                <tr><td colspan="2"><label for="iQSection"><?= $this->getHtml('Section'); ?><label>
                 <tr><td colspan="2"><select id="iQSection" name="iqsection">
                                             <option>
                                     </select>
-                <tr><td colspan="2"><input type="submit" value="<?= $this->getText('Add', 0, 0) ?>">
+                <tr><td colspan="2"><input type="submit" value="<?= $this->getHtml('Add', 0, 0); ?>">
             </table>
         </form>
     </div>
diff --git a/Theme/Backend/surveys-list.tpl.php b/Theme/Backend/surveys-list.tpl.php
index e942edc..cd5e878 100644
--- a/Theme/Backend/surveys-list.tpl.php
+++ b/Theme/Backend/surveys-list.tpl.php
@@ -22,21 +22,21 @@ echo $this->getData('nav')->render(); ?>
 
 <div class="box w-100">
     <table class="table red">
-        <caption><?= $this->getText('Surveys') ?></caption>
+        <caption><?= $this->getHtml('Surveys'); ?></caption>
         <thead>
         <tr>
-            <td><?= $this->getText('Status'); ?>
-            <td class="wf-100"><?= $this->getText('Title'); ?>
-            <td><?= $this->getText('Created'); ?>
-            <td><?= $this->getText('Creator'); ?>
+            <td><?= $this->getHtml('Status') ?>
+            <td class="wf-100"><?= $this->getHtml('Title') ?>
+            <td><?= $this->getHtml('Created') ?>
+            <td><?= $this->getHtml('Creator') ?>
         <tfoot>
         <tr>
-            <td colspan="4"><?= $footerView->render(); ?>
+            <td colspan="4"><?= htmlspecialchars($footerView->render(), ENT_COMPAT, 'utf-8'); ?>
         <tbody>
         <?php $count = 0; foreach([] as $key => $value) : $count++; ?>
         <?php endforeach; ?>
         <?php if($count === 0) : ?>
-        <tr><td colspan="4" class="empty"><?= $this->getText('Empty', 0, 0); ?>
+        <tr><td colspan="4" class="empty"><?= $this->getHtml('Empty', 0, 0); ?>
                 <?php endif; ?>
     </table>
 </div>