Commit 4f00758d authored by Richard Mansfield's avatar Richard Mansfield
Browse files

Fix eval'ed templates in admin/users/search.php for auto_escape


Signed-off-by: default avatarRichard Mansfield <richardm@catalyst.net.nz>
parent 08d8b8b1
......@@ -287,7 +287,7 @@ function build_admin_user_search_results($search, $offset, $limit, $sortby, $sor
. '&amp;limit=' . $limit;
$usernametemplate = '<a href="' . get_config('wwwroot')
. '{if $USER->is_admin_for_user($r.id)}admin/users/edit.php?id={$r.id}{else}user/view.php?id={$r.id}{/if}">{$r.username|escape}</a>';
. '{if $USER->is_admin_for_user($r.id)}admin/users/edit.php?id={$r.id}{else}user/view.php?id={$r.id}{/if}">{$r.username}</a>';
$cols = array(
'icon' => array('name' => '',
......@@ -303,7 +303,7 @@ function build_admin_user_search_results($search, $offset, $limit, $sortby, $sor
$institutions = get_records_assoc('institution', '', '', '', 'name,displayname');
if (count($institutions) > 1) {
$cols['institution'] = array('name' => get_string('institution'),
'template' => '{auto_escape off}{if empty($r.institutions)}{$institutions.mahara->displayname}{else}{foreach from=$r.institutions item=i}<div>{$institutions[$i]->displayname}</div>{/foreach}{/if}{if !empty($r.requested)}{foreach from=$r.requested item=i}<div class="pending">{str tag=requestto section=admin} {$institutions[$i]->displayname}{if $USER->is_institutional_admin("$i")} (<a href="{$WWWROOT}admin/users/addtoinstitution.php?id={$r.id}&institution={$i}">{str tag=confirm section=admin}</a>){/if}</div>{/foreach}{/if}{if !empty($r.invitedby)}{foreach from=$r.invitedby item=i}<div class="pending">{str tag=invitedby section=admin} {$institutions[$i]->displayname}</div>{/foreach}{/if}{/auto_escape}');
'template' => '{if !$r.institutions}{$institutions.mahara->displayname}{else}{foreach from=$r.institutions item=i}<div>{$institutions[$i]->displayname}</div>{/foreach}{/if}{if !$r.requested}{foreach from=$r.requested item=i}<div class="pending">{str tag=requestto section=admin} {$institutions[$i]->displayname}{if $USER->is_institutional_admin("$i")} (<a href="{$WWWROOT}admin/users/addtoinstitution.php?id={$r.id}&institution={$i}">{str tag=confirm section=admin}</a>){/if}</div>{/foreach}{/if}{if !$r.invitedby}{foreach from=$r.invitedby item=i}<div class="pending">{str tag=invitedby section=admin} {$institutions[$i]->displayname}</div>{/foreach}{/if}');
}
$smarty = smarty_core();
......
{auto_escape off}
{if $results.data}
<h2>{str tag="Results"}</h2>
<table id="searchresults" class="tablerenderer fullwidth listing">
......@@ -7,7 +6,7 @@
{if ($pagelinks)}
<tr class="search-results-pages">
<td colspan="{$ncols}">
{$pagelinks}
{$pagelinks|safe}
</td>
</tr>
{/if}
......@@ -26,8 +25,18 @@
<tbody>
{foreach from=$results.data item=r}
<tr class="{cycle values="r0,r1"}">
{foreach from=$cols key=f item=c}
<td{if $c.class} class="{$c.class}"{/if}>{if !$c.template}{$r[$f]|escape}{else}{eval var=$c.template}{/if}</td>
{foreach from=$cols key=f item=c}{strip}
<td{if $c.class} class="{$c.class}"{/if}>
{if !$c.template}
{$r[$f]}
{else}
{auto_escape off}
{* auto_escape off seems to be required to eval these templates without errors;
somehow the variables output inside them are getting escaped anyway. *}
{eval var=$c.template}
{/auto_escape}
{/if}
</td>{/strip}
{/foreach}
</tr>
{/foreach}
......@@ -36,7 +45,7 @@
<tfoot>
<tr class="search-results-pages">
<td colspan={$ncols}>
{$pagelinks}
{$pagelinks|safe}
</td>
</tr>
</tfoot>
......@@ -45,4 +54,3 @@
{else}
<div>{str tag="noresultsfound"}</div>
{/if}
{/auto_escape}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment