From b244522e22c3a9d5ec40bde0c320ad73b67db498 Mon Sep 17 00:00:00 2001
From: Dennis Eichhorn <spl1nes.com@googlemail.com>
Date: Mon, 24 Jul 2017 20:48:22 +0200
Subject: [PATCH] Add html escaping

---
 Theme/Backend/dashboard-task.tpl.php | 16 ++++-----
 Theme/Backend/task-analysis.tpl.php  | 30 ++++++++--------
 Theme/Backend/task-create.tpl.php    | 42 +++++++++++-----------
 Theme/Backend/task-dashboard.tpl.php | 52 ++++++++++++++--------------
 Theme/Backend/task-single.tpl.php    | 52 ++++++++++++++--------------
 5 files changed, 96 insertions(+), 96 deletions(-)
diff --git a/Theme/Backend/dashboard-task.tpl.php b/Theme/Backend/dashboard-task.tpl.php
index 70699a3..9d39779 100644
--- a/Theme/Backend/dashboard-task.tpl.php
+++ b/Theme/Backend/dashboard-task.tpl.php
@@ -21,11 +21,11 @@ $tasks = $this->getData('tasks');
 <div id="task-dashboard" class="col-xs-12 col-md-6" draggable="true">
     <div class="box wf-100">
         <table class="table red">
-            <caption><?= $this->getText('Tasks'); ?></caption>
+            <caption><?= $this->getHtml('Tasks') ?></caption>
             <thead>
-            <td><?= $this->getText('Status'); ?>
-            <td><?= $this->getText('Due'); ?>
-            <td class="full"><?= $this->getText('Title'); ?>
+            <td><?= $this->getHtml('Status') ?>
+            <td><?= $this->getHtml('Due') ?>
+            <td class="full"><?= $this->getHtml('Title') ?>
             <tfoot>
             <tbody>
             <?php $c = 0; foreach($tasks as $key => $task) : $c++;
@@ -37,11 +37,11 @@ $tasks = $this->getData('tasks');
             elseif($task->getStatus() === \Modules\Tasks\Models\TaskStatus::CANCELED) { $color = 'red'; }
             elseif($task->getStatus() === \Modules\Tasks\Models\TaskStatus::SUSPENDED) { $color = 'yellow'; } ;?>
             <tr data-href="<?= $url; ?>">
-                <td><a href="<?= $url; ?>"><span class="tag <?= $color; ?>"><?= $this->getText('S' . $task->getStatus()); ?></span></a>
-                <td><a href="<?= $url; ?>"><?= $task->getDue()->format('Y-m-d H:i'); ?></a>
-                <td><a href="<?= $url; ?>"><?= $task->getTitle(); ?></a>
+                <td><a href="<?= $url; ?>"><span class="tag <?= htmlspecialchars($color, ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('S' . $task->getStatus()) ?></span></a>
+                <td><a href="<?= $url; ?>"><?= htmlspecialchars($task->getDue()->format('Y-m-d H:i'), ENT_COMPAT, 'utf-8'); ?></a>
+                <td><a href="<?= $url; ?>"><?= htmlspecialchars($task->getTitle(), ENT_COMPAT, 'utf-8'); ?></a>
                     <?php endforeach; if($c == 0) : ?>
-            <tr><td colspan="6" class="empty"><?= $this->getText('Empty', 0, 0); ?>
+            <tr><td colspan="6" class="empty"><?= $this->getHtml('Empty', 0, 0); ?>
                     <?php endif; ?>
         </table>
     </div>
diff --git a/Theme/Backend/task-analysis.tpl.php b/Theme/Backend/task-analysis.tpl.php
index 58daeca..df0002a 100644
--- a/Theme/Backend/task-analysis.tpl.php
+++ b/Theme/Backend/task-analysis.tpl.php
@@ -20,17 +20,17 @@ echo $this->getData('nav')->render(); ?>
 <div class="row">
     <div class="col-xs-12 col-md-6">
         <section class="box wf-100">
-            <header><h1><?= $this->getText('Account'); ?></h1></header>
+            <header><h1><?= $this->getHtml('Account') ?></h1></header>
             <div class="inner">
                 <form>
                     <table class="layout wf-100">
-                        <tr><td><label for="iAccount"><?= $this->getText('Account'); ?></label>
+                        <tr><td><label for="iAccount"><?= $this->getHtml('Account') ?></label>
                         <tr><td><span class="input"><button type="button" formaction=""><i class="fa fa-book"></i></button><input type="number" min="1" id="iAccount" name="account" placeholder="&#xf007; Guest" required></span>
-                        <tr><td><label for="iFrom"><?= $this->getText('From'); ?></label>
-                        <tr><td><input type="datetime-local" id="iFrom" name="from" value="<?= (new \DateTime('NOW'))->format('Y-m-d\TH:i:s') ?>">
-                        <tr><td><label for="iTo"><?= $this->getText('To'); ?></label>
-                        <tr><td><input type="datetime-local" id="iTo" name="to" value="<?= (new \DateTime('NOW'))->format('Y-m-d\TH:i:s') ?>">
-                        <tr><td><input type="submit" value="<?= $this->getText('Submit', 0, 0); ?>">
+                        <tr><td><label for="iFrom"><?= $this->getHtml('From') ?></label>
+                        <tr><td><input type="datetime-local" id="iFrom" name="from" value="<?= htmlspecialchars((new \DateTime('NOW'))->format('Y-m-d\TH:i:s') , ENT_COMPAT, 'utf-8'); ?>">
+                        <tr><td><label for="iTo"><?= $this->getHtml('To') ?></label>
+                        <tr><td><input type="datetime-local" id="iTo" name="to" value="<?= htmlspecialchars((new \DateTime('NOW'))->format('Y-m-d\TH:i:s') , ENT_COMPAT, 'utf-8'); ?>">
+                        <tr><td><input type="submit" value="<?= $this->getHtml('Submit', 0, 0); ?>">
                     </table>
                 </form>
             </div>
@@ -39,15 +39,15 @@ echo $this->getData('nav')->render(); ?>
 
     <div class="col-xs-12 col-md-6">
         <section class="box wf-100">
-            <header><h1><?= $this->getText('Statistics'); ?></h1></header>
+            <header><h1><?= $this->getHtml('Statistics') ?></h1></header>
             <div class="inner">
                 <table class="list wf-100">
-                    <tr><td><?= $this->getText('Received'); ?><td>0
-                    <tr><td><?= $this->getText('Created'); ?><td>0
-                    <tr><td><?= $this->getText('Forwarded'); ?><td>0
-                    <tr><td><?= $this->getText('AverageAmount'); ?><td>0
-                    <tr><td><?= $this->getText('AverageProcessTime'); ?><td>0
-                    <tr><td><?= $this->getText('InTime'); ?><td>0
+                    <tr><td><?= $this->getHtml('Received') ?><td>0
+                    <tr><td><?= $this->getHtml('Created') ?><td>0
+                    <tr><td><?= $this->getHtml('Forwarded') ?><td>0
+                    <tr><td><?= $this->getHtml('AverageAmount') ?><td>0
+                    <tr><td><?= $this->getHtml('AverageProcessTime') ?><td>0
+                    <tr><td><?= $this->getHtml('InTime') ?><td>0
                 </table>
             </div>
         </section>
@@ -57,7 +57,7 @@ echo $this->getData('nav')->render(); ?>
 <div class="row">
     <div class="col-xs-12">
         <section class="box wf-100">
-            <header><h1><?= $this->getText('History'); ?></h1></header>
+            <header><h1><?= $this->getHtml('History') ?></h1></header>
             <div class="inner" style="height: 300px">
             </div>
         </section>
diff --git a/Theme/Backend/task-create.tpl.php b/Theme/Backend/task-create.tpl.php
index fc39f3c..c22b773 100644
--- a/Theme/Backend/task-create.tpl.php
+++ b/Theme/Backend/task-create.tpl.php
@@ -20,32 +20,32 @@ echo $this->getData('nav')->render(); ?>
 <div class="row">
     <div class="col-xs-12 col-md-6">
         <section class="box wf-100">
-            <header><h1><?= $this->getText('Task'); ?></h1></header>
+            <header><h1><?= $this->getHtml('Task') ?></h1></header>
 
             <div class="inner">
                 <form id="fTask" method="POST" action="<?= \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/api/task?{?}&csrf={$CSRF}'); ?>">
                     <table class="layout wf-100">
                         <tbody>
-                        <tr><td colspan="2"><label for="iReceiver"><?= $this->getText('To'); ?></label>
-                        <tr><td><?= $this->getData('accGrpSelector')->render('iReceiver'); ?><td><button><?= $this->getText('Add', 0, 0); ?></button>
-                        <tr><td colspan="2"><label for="iObserver"><?= $this->getText('CC'); ?></label>
-                        <tr><td><?= $this->getData('accGrpSelector')->render('iCC'); ?><td><button><?= $this->getText('Add', 0, 0); ?></button>
-                        <tr><td colspan="2"><label for="iPriority"><?= $this->getText('Priority'); ?></label>
+                        <tr><td colspan="2"><label for="iReceiver"><?= $this->getHtml('To') ?></label>
+                        <tr><td><?= $this->getData('accGrpSelector')->render('iReceiver'); ?><td><button><?= $this->getHtml('Add', 0, 0); ?></button>
+                        <tr><td colspan="2"><label for="iObserver"><?= $this->getHtml('CC') ?></label>
+                        <tr><td><?= $this->getData('accGrpSelector')->render('iCC'); ?><td><button><?= $this->getHtml('Add', 0, 0); ?></button>
+                        <tr><td colspan="2"><label for="iPriority"><?= $this->getHtml('Priority') ?></label>
                         <tr><td><select id="iPriority" name="priority">
-                                <option value="<?= \Modules\Tasks\Models\TaskPriority::VLOW; ?>"><?= $this->getText('P1'); ?>
-                                <option value="<?= \Modules\Tasks\Models\TaskPriority::LOW; ?>"><?= $this->getText('P2'); ?>
-                                <option value="<?= \Modules\Tasks\Models\TaskPriority::MEDIUM; ?>" selected><?= $this->getText('P3'); ?>
-                                <option value="<?= \Modules\Tasks\Models\TaskPriority::HIGH; ?>"><?= $this->getText('P4'); ?>
-                                <option value="<?= \Modules\Tasks\Models\TaskPriority::VHIGH; ?>"><?= $this->getText('P5'); ?>Done
+                                <option value="<?= htmlspecialchars(\Modules\Tasks\Models\TaskPriority::VLOW, ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('P1') ?>
+                                <option value="<?= htmlspecialchars(\Modules\Tasks\Models\TaskPriority::LOW, ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('P2') ?>
+                                <option value="<?= htmlspecialchars(\Modules\Tasks\Models\TaskPriority::MEDIUM, ENT_COMPAT, 'utf-8'); ?>" selected><?= $this->getHtml('P3') ?>
+                                <option value="<?= htmlspecialchars(\Modules\Tasks\Models\TaskPriority::HIGH, ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('P4') ?>
+                                <option value="<?= htmlspecialchars(\Modules\Tasks\Models\TaskPriority::VHIGH, ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('P5') ?>Done
                             </select><td>
-                        <tr><td colspan="2"><label for="iDue"><?= $this->getText('Due'); ?></label>
-                        <tr><td><input type="datetime-local" id="iDue" name="due" value="<?= (new \DateTime('NOW'))->format('Y-m-d\TH:i:s') ?>"><td>
-                        <tr><td colspan="2"><label for="iTitle"><?= $this->getText('Title'); ?></label>
-                        <tr><td><input type="text" id="iTitle" name="title" placeholder="&#xf040; <?= $this->getText('Title'); ?>" required><td>
-                        <tr><td colspan="2"><label for="iMessage"><?= $this->getText('Message'); ?></label>
+                        <tr><td colspan="2"><label for="iDue"><?= $this->getHtml('Due') ?></label>
+                        <tr><td><input type="datetime-local" id="iDue" name="due" value="<?= htmlspecialchars((new \DateTime('NOW'))->format('Y-m-d\TH:i:s') , ENT_COMPAT, 'utf-8'); ?>"><td>
+                        <tr><td colspan="2"><label for="iTitle"><?= $this->getHtml('Title') ?></label>
+                        <tr><td><input type="text" id="iTitle" name="title" placeholder="&#xf040; <?= $this->getHtml('Title') ?>" required><td>
+                        <tr><td colspan="2"><label for="iMessage"><?= $this->getHtml('Message') ?></label>
                         <tr><td><?php //include __DIR__ . '/../../../Editor/Theme/Backend/inline-editor-tools.tpl.php'; ?>
                         <tr><td><textarea id="iMessage" name="description" placeholder="&#xf040;" required></textarea><td>
-                        <tr><td colspan="2"><input type="submit" value="<?= $this->getText('Create', 0, 0); ?>"><input type="hidden" name="type" value="<?= \Modules\Tasks\Models\TaskType::SINGLE; ?>">
+                        <tr><td colspan="2"><input type="submit" value="<?= $this->getHtml('Create', 0, 0); ?>"><input type="hidden" name="type" value="<?= htmlspecialchars(\Modules\Tasks\Models\TaskType::SINGLE, ENT_COMPAT, 'utf-8'); ?>">
                     </table>
                 </form>
             </div>
@@ -54,15 +54,15 @@ echo $this->getData('nav')->render(); ?>
 
     <div class="col-xs-12 col-md-6">
         <section class="box wf-100">
-            <header><h1><?= $this->getText('Media'); ?></h1></header>
+            <header><h1><?= $this->getHtml('Media') ?></h1></header>
 
             <div class="inner">
                 <form>
                     <table class="layout wf-100">
                         <tbody>
-                        <tr><td colspan="2"><label for="iMedia"><?= $this->getText('Media'); ?></label>
-                        <tr><td><input type="text" id="iMedia" placeholder="&#xf15b; File"><td><button><?= $this->getText('Select'); ?></button>
-                        <tr><td colspan="2"><label for="iUpload"><?= $this->getText('Upload'); ?></label>
+                        <tr><td colspan="2"><label for="iMedia"><?= $this->getHtml('Media') ?></label>
+                        <tr><td><input type="text" id="iMedia" placeholder="&#xf15b; File"><td><button><?= $this->getHtml('Select') ?></button>
+                        <tr><td colspan="2"><label for="iUpload"><?= $this->getHtml('Upload') ?></label>
                         <tr><td><input type="file" id="iUpload" form="fTask"><input form="fTask" type="hidden" name="type"><td>
                     </table>
                 </form>
diff --git a/Theme/Backend/task-dashboard.tpl.php b/Theme/Backend/task-dashboard.tpl.php
index 7ffb574..4f5de3a 100644
--- a/Theme/Backend/task-dashboard.tpl.php
+++ b/Theme/Backend/task-dashboard.tpl.php
@@ -23,13 +23,13 @@ echo $this->getData('nav')->render(); ?>
     <div class="col-xs-12 col-md-9">
         <div class="box wf-100">
             <table class="table red">
-                <caption><?= $this->getText('Tasks'); ?></caption>
+                <caption><?= $this->getHtml('Tasks') ?></caption>
                 <thead>
-                    <td><?= $this->getText('Status'); ?>
-                    <td><?= $this->getText('Due'); ?>
-                    <td class="full"><?= $this->getText('Title'); ?>
-                    <td><?= $this->getText('Creator'); ?>
-                    <td><?= $this->getText('Created'); ?>
+                    <td><?= $this->getHtml('Status') ?>
+                    <td><?= $this->getHtml('Due') ?>
+                    <td class="full"><?= $this->getHtml('Title') ?>
+                    <td><?= $this->getHtml('Creator') ?>
+                    <td><?= $this->getHtml('Created') ?>
                 <tfoot>
                 <tbody>
                 <?php $c = 0; foreach($tasks as $key => $task) : $c++;
@@ -41,13 +41,13 @@ echo $this->getData('nav')->render(); ?>
                 elseif($task->getStatus() === \Modules\Tasks\Models\TaskStatus::CANCELED) { $color = 'red'; }
                 elseif($task->getStatus() === \Modules\Tasks\Models\TaskStatus::SUSPENDED) { $color = 'yellow'; } ;?>
                     <tr data-href="<?= $url; ?>">
-                        <td><a href="<?= $url; ?>"><span class="tag <?= $color; ?>"><?= $this->getText('S' . $task->getStatus()); ?></span></a>
-                        <td><a href="<?= $url; ?>"><?= $task->getDue()->format('Y-m-d H:i'); ?></a>
-                        <td><a href="<?= $url; ?>"><?= $task->getTitle(); ?></a>
-                        <td><a href="<?= $url; ?>"><?= $task->getCreatedBy()->getName1(); ?></a>
-                        <td><a href="<?= $url; ?>"><?= $task->getCreatedAt()->format('Y-m-d H:i'); ?></a>
+                        <td><a href="<?= $url; ?>"><span class="tag <?= htmlspecialchars($color, ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('S' . $task->getStatus()) ?></span></a>
+                        <td><a href="<?= $url; ?>"><?= htmlspecialchars($task->getDue()->format('Y-m-d H:i'), ENT_COMPAT, 'utf-8'); ?></a>
+                        <td><a href="<?= $url; ?>"><?= htmlspecialchars($task->getTitle(), ENT_COMPAT, 'utf-8'); ?></a>
+                        <td><a href="<?= $url; ?>"><?= htmlspecialchars($task->getCreatedBy()->getName1(), ENT_COMPAT, 'utf-8'); ?></a>
+                        <td><a href="<?= $url; ?>"><?= htmlspecialchars($task->getCreatedAt()->format('Y-m-d H:i'), ENT_COMPAT, 'utf-8'); ?></a>
                 <?php endforeach; if($c == 0) : ?>
-                <tr><td colspan="6" class="empty"><?= $this->getText('Empty', 0, 0); ?>
+                <tr><td colspan="6" class="empty"><?= $this->getHtml('Empty', 0, 0); ?>
                 <?php endif; ?>
             </table>
         </div>
@@ -55,17 +55,17 @@ echo $this->getData('nav')->render(); ?>
 
     <div class="col-xs-12 col-md-3">
             <section class="box wf-100">
-                <header><h1><?= $this->getText('Settings'); ?></h1></header>
+                <header><h1><?= $this->getHtml('Settings') ?></h1></header>
                 <div class="inner">
                     <form>
                         <table class="layout wf-100">
-                            <tr><td><label for="iIntervarl"><?= $this->getText('Interval'); ?></label>
+                            <tr><td><label for="iIntervarl"><?= $this->getHtml('Interval') ?></label>
                             <tr><td><select id="iIntervarl" name="interval">
-                                        <option><?= $this->getText('All'); ?>
-                                        <option><?= $this->getText('Day'); ?>
-                                        <option><?= $this->getText('Week'); ?>
-                                        <option selected><?= $this->getText('Month'); ?>
-                                        <option><?= $this->getText('Year'); ?>
+                                        <option><?= $this->getHtml('All') ?>
+                                        <option><?= $this->getHtml('Day') ?>
+                                        <option><?= $this->getHtml('Week') ?>
+                                        <option selected><?= $this->getHtml('Month') ?>
+                                        <option><?= $this->getHtml('Year') ?>
                                     </select>
                         </table>
                     </form>
@@ -73,15 +73,15 @@ echo $this->getData('nav')->render(); ?>
             </section>
 
             <section class="box wf-100">
-                <header><h1><?= $this->getText('Settings'); ?></h1></header>
+                <header><h1><?= $this->getHtml('Settings') ?></h1></header>
                 <div class="inner">
                     <table class="list">
-                        <tr><th><?= $this->getText('Received'); ?><td>0
-                        <tr><th><?= $this->getText('Created'); ?><td>0
-                        <tr><th><?= $this->getText('Forwarded'); ?><td>0
-                        <tr><th><?= $this->getText('AverageAmount'); ?><td>0
-                        <tr><th><?= $this->getText('AverageProcessTime'); ?><td>0
-                        <tr><th><?= $this->getText('InTime'); ?><td>0
+                        <tr><th><?= $this->getHtml('Received') ?><td>0
+                        <tr><th><?= $this->getHtml('Created') ?><td>0
+                        <tr><th><?= $this->getHtml('Forwarded') ?><td>0
+                        <tr><th><?= $this->getHtml('AverageAmount') ?><td>0
+                        <tr><th><?= $this->getHtml('AverageProcessTime') ?><td>0
+                        <tr><th><?= $this->getHtml('InTime') ?><td>0
                     </table>
                 </div>
             </section>
diff --git a/Theme/Backend/task-single.tpl.php b/Theme/Backend/task-single.tpl.php
index 735d634..9cbe343 100644
--- a/Theme/Backend/task-single.tpl.php
+++ b/Theme/Backend/task-single.tpl.php
@@ -30,20 +30,20 @@ echo $this->getData('nav')->render(); ?>
 <div class="row">
     <div class="col-xs-12">
         <section class="box wf-100">
-            <header><h1><?= $task->getTitle(); ?></h1></header>
+            <header><h1><?= htmlspecialchars($task->getTitle(), ENT_COMPAT, 'utf-8'); ?></h1></header>
             <div class="inner">
-                <div class="floatRight">Due <?= $task->getDue()->format('Y-m-d H:i'); ?></div>
-                <div>Created <?= $task->getCreatedAt()->format('Y-m-d H:i'); ?></div>
+                <div class="floatRight">Due <?= htmlspecialchars($task->getDue()->format('Y-m-d H:i'), ENT_COMPAT, 'utf-8'); ?></div>
+                <div>Created <?= htmlspecialchars($task->getCreatedAt()->format('Y-m-d H:i'), ENT_COMPAT, 'utf-8'); ?></div>
             </div>
             <div class="inner">
                 <blockquote>
-                    <?= $task->getDescription(); ?>
+                    <?= htmlspecialchars($task->getDescription(), ENT_COMPAT, 'utf-8'); ?>
                 </blockquote>
             </div>
             <div class="inner">
                 <div class="pAlignTable">
-                    <div class="vCenterTable wf-100">Created <?= $task->getCreatedBy()->getName1(); ?></div>
-                    <span class="vCenterTable nobreak tag <?= $color; ?>"><?= $this->getText('S' . $task->getStatus()); ?></span>
+                    <div class="vCenterTable wf-100">Created <?= htmlspecialchars($task->getCreatedBy()->getName1(), ENT_COMPAT, 'utf-8'); ?></div>
+                    <span class="vCenterTable nobreak tag <?= htmlspecialchars($color, ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('S' . $task->getStatus()) ?></span>
                 </div>
             </div>
         </section>
@@ -57,27 +57,27 @@ echo $this->getData('nav')->render(); ?>
             elseif($element->getStatus() === \Modules\Tasks\Models\TaskStatus::SUSPENDED) { $color = 'yellow'; } ?>
             <section class="box wf-100">
                 <div class="inner pAlignTable">
-                    <div class="vCenterTable wf-100"><?= $element->getCreatedBy()->getName1(); ?> - <?= $element->getCreatedAt()->format('Y-m-d H:i'); ?></div>
-                    <span class="vCenterTable tag <?= $color; ?>"><?= $this->getText('S' . $element->getStatus()); ?></span>
+                    <div class="vCenterTable wf-100"><?= htmlspecialchars($element->getCreatedBy()->getName1(), ENT_COMPAT, 'utf-8'); ?> - <?= htmlspecialchars($element->getCreatedAt()->format('Y-m-d H:i'), ENT_COMPAT, 'utf-8'); ?></div>
+                    <span class="vCenterTable tag <?= htmlspecialchars($color, ENT_COMPAT, 'utf-8'); ?>"><?= $this->getHtml('S' . $element->getStatus()) ?></span>
                 </div>
 
             <?php if ($element->getDescription() !== '') : ?>
                     <div class="inner">
                         <blockquote>
-                            <?= $element->getDescription(); ?>
+                            <?= htmlspecialchars($element->getDescription(), ENT_COMPAT, 'utf-8'); ?>
                         </blockquote>
                     </div>
             <?php endif; ?>
 
                 <div class="inner pAlignTable">
                 <?php if ($element->getForwarded() !== 0) : ?>
-                    <div class="vCenterTable wf-100">Forwarded <?= $element->getForwarded()->getName1(); ?></div>
+                    <div class="vCenterTable wf-100">Forwarded <?= htmlspecialchars($element->getForwarded()->getName1(), ENT_COMPAT, 'utf-8'); ?></div>
                 <?php endif; ?>
                 <?php if ($element->getStatus() !== \Modules\Tasks\Models\TaskStatus::CANCELED ||
                     $element->getStatus() !== \Modules\Tasks\Models\TaskStatus::DONE ||
                     $element->getStatus() !== \Modules\Tasks\Models\TaskStatus::SUSPENDED || $c != $cElements
                 ) : ?>
-                    <div class="vCenterTable nobreak">Due <?= $element->getDue()->format('Y-m-d H:i'); ?></div>
+                    <div class="vCenterTable nobreak">Due <?= htmlspecialchars($element->getDue()->format('Y-m-d H:i'), ENT_COMPAT, 'utf-8'); ?></div>
                 <?php endif; ?>
             </section>
         <?php endforeach; ?>
@@ -86,25 +86,25 @@ echo $this->getData('nav')->render(); ?>
             <div class="inner">
                 <form id="taskElementCreate" method="POST" action="<?= \phpOMS\Uri\UriFactory::build('{/base}/{/lang}/api/task/element?{?}&csrf={$CSRF}'); ?>">
                     <table class="layout wf-100">
-                        <tr><td><label for="iMessage"><?= $this->getText('Message'); ?></label>
+                        <tr><td><label for="iMessage"><?= $this->getHtml('Message') ?></label>
                         <tr><td><textarea id="iMessage" name="description"></textarea>
-                        <tr><td><label for="iDue"><?= $this->getText('Due'); ?></label>
-                        <tr><td><input type="datetime-local" id="iDue" name="due" value="<?= !empty($elements) ? end($elements)->getDue()->format('Y-m-d\TH:i:s') : $task->getDue()->format('Y-m-d\TH:i:s'); ?>">
-                        <tr><td><label for="iStatus"><?= $this->getText('Status'); ?></label>
+                        <tr><td><label for="iDue"><?= $this->getHtml('Due') ?></label>
+                        <tr><td><input type="datetime-local" id="iDue" name="due" value="<?= htmlspecialchars(!empty($elements) ? end($elements)->getDue()->format('Y-m-d\TH:i:s') : $task->getDue()->format('Y-m-d\TH:i:s'), ENT_COMPAT, 'utf-8'); ?>">
+                        <tr><td><label for="iStatus"><?= $this->getHtml('Status') ?></label>
                         <tr><td><select id="iStatus" name="status">
-                                    <option value="<?= \Modules\Tasks\Models\TaskStatus::OPEN; ?>" selected>Open
-                                    <option value="<?= \Modules\Tasks\Models\TaskStatus::WORKING; ?>">Working
-                                    <option value="<?= \Modules\Tasks\Models\TaskStatus::SUSPENDED; ?>">Suspended
-                                    <option value="<?= \Modules\Tasks\Models\TaskStatus::CANCELED; ?>">Canceled
-                                    <option value="<?= \Modules\Tasks\Models\TaskStatus::DONE; ?>">Done
+                                    <option value="<?= htmlspecialchars(\Modules\Tasks\Models\TaskStatus::OPEN, ENT_COMPAT, 'utf-8'); ?>" selected>Open
+                                    <option value="<?= htmlspecialchars(\Modules\Tasks\Models\TaskStatus::WORKING, ENT_COMPAT, 'utf-8'); ?>">Working
+                                    <option value="<?= htmlspecialchars(\Modules\Tasks\Models\TaskStatus::SUSPENDED, ENT_COMPAT, 'utf-8'); ?>">Suspended
+                                    <option value="<?= htmlspecialchars(\Modules\Tasks\Models\TaskStatus::CANCELED, ENT_COMPAT, 'utf-8'); ?>">Canceled
+                                    <option value="<?= htmlspecialchars(\Modules\Tasks\Models\TaskStatus::DONE, ENT_COMPAT, 'utf-8'); ?>">Done
                                 </select>
-                        <tr><td><label for="iReceiver"><?= $this->getText('To'); ?></label>
-                        <tr><td><input type="text" id="iReceiver" name="forward" value="<?= $this->request->getAccount(); ?>" placeholder="&#xf007; Guest">
-                        <tr><td colspan="2"><label for="iMedia"><?= $this->getText('Media'); ?></label>
-                        <tr><td><input type="text" id="iMedia" placeholder="&#xf15b; File"><td><button><?= $this->getText('Select'); ?></button>
-                        <tr><td colspan="2"><label for="iUpload"><?= $this->getText('Upload'); ?></label>
+                        <tr><td><label for="iReceiver"><?= $this->getHtml('To') ?></label>
+                        <tr><td><input type="text" id="iReceiver" name="forward" value="<?= htmlspecialchars($this->request->getAccount(), ENT_COMPAT, 'utf-8'); ?>" placeholder="&#xf007; Guest">
+                        <tr><td colspan="2"><label for="iMedia"><?= $this->getHtml('Media') ?></label>
+                        <tr><td><input type="text" id="iMedia" placeholder="&#xf15b; File"><td><button><?= $this->getHtml('Select') ?></button>
+                        <tr><td colspan="2"><label for="iUpload"><?= $this->getHtml('Upload') ?></label>
                         <tr><td><input type="file" id="iUpload" form="fTask"><input form="fTask" type="hidden" name="type"><td>
-                        <tr><td><input type="submit" value="<?= $this->getText('Create', 0, 0); ?>"><input type="hidden" name="task" value="<?= $this->request->getData('id') ?>"><input type="hidden" name="type" value="1">
+                        <tr><td><input type="submit" value="<?= $this->getHtml('Create', 0, 0); ?>"><input type="hidden" name="task" value="<?= htmlspecialchars($this->request->getData('id')); ?>"><input type="hidden" name="type" value="1">
                     </table>
                 </form>
             </div>

getText('Status'); ?> -	getText('Due'); ?> -	getText('Title'); ?> +	getHtml('Status') ?> +	getHtml('Due') ?> +	getHtml('Title') ?>
getText('S' . $task->getStatus()); ?> -	getDue()->format('Y-m-d H:i'); ?> -	getTitle(); ?> +	getHtml('S' . $task->getStatus()) ?> +	getDue()->format('Y-m-d H:i'), ENT_COMPAT, 'utf-8'); ?> +	getTitle(), ENT_COMPAT, 'utf-8'); ?> -
getText('Empty', 0, 0); ?> +
getHtml('Empty', 0, 0); ?>
getText('Received'); ?>	0 -
getText('Created'); ?>	0 -
getText('Forwarded'); ?>	0 -
getText('AverageAmount'); ?>	0 -
getText('AverageProcessTime'); ?>	0 -
getText('InTime'); ?>	0 +
getHtml('Received') ?>	0 +
getHtml('Created') ?>	0 +
getHtml('Forwarded') ?>	0 +
getHtml('AverageAmount') ?>	0 +
getHtml('AverageProcessTime') ?>	0 +
getHtml('InTime') ?>	0
getText('Status'); ?> -	getText('Due'); ?> -	getText('Title'); ?> -	getText('Creator'); ?> -	getText('Created'); ?> +	getHtml('Status') ?> +	getHtml('Due') ?> +	getHtml('Title') ?> +	getHtml('Creator') ?> +	getHtml('Created') ?>
getText('S' . $task->getStatus()); ?> -	getDue()->format('Y-m-d H:i'); ?> -	getTitle(); ?> -	getCreatedBy()->getName1(); ?> -	getCreatedAt()->format('Y-m-d H:i'); ?> +	getHtml('S' . $task->getStatus()) ?> +	getDue()->format('Y-m-d H:i'), ENT_COMPAT, 'utf-8'); ?> +	getTitle(), ENT_COMPAT, 'utf-8'); ?> +	getCreatedBy()->getName1(), ENT_COMPAT, 'utf-8'); ?> +	getCreatedAt()->format('Y-m-d H:i'), ENT_COMPAT, 'utf-8'); ?> -
getText('Empty', 0, 0); ?> +
getHtml('Empty', 0, 0); ?>