Commit ab7ea38e authored by Richard Mansfield's avatar Richard Mansfield

Minor changes to templates to remove xss and let auto_escape do its job

Signed-off-by: default avatarRichard Mansfield <richardm@catalyst.net.nz>
parent 0a6503a5
......@@ -64,7 +64,7 @@ $form = pieform(array(
));
$smarty = smarty();
$smarty->assign('subheading', hsc(TITLE));
$smarty->assign('subheading', TITLE);
$smarty->assign('message', get_string('collectionconfirmdelete', 'collection'));
$smarty->assign('form', $form);
$smarty->display('collection/delete.tpl');
......
......@@ -78,7 +78,7 @@ $form = pieform(array(
));
$smarty = smarty();
$smarty->assign('subheading', hsc(TITLE));
$smarty->assign('subheading', TITLE);
$smarty->assign('message', get_string('viewconfirmremove', 'collection'));
$smarty->assign('form', $form);
$smarty->display('collection/delete.tpl');
......
......@@ -116,7 +116,7 @@ if ($new) {
$smarty->assign_by_ref('newform', $newform);
}
$smarty->assign('PAGEHEADING', hsc(TITLE));
$smarty->assign('PAGEHEADING', TITLE);
$smarty->assign('displayurl',get_config('wwwroot').'collection/views.php?id='.$id.$newurl);
$smarty->assign('removeurl',get_config('wwwroot').'collection/deleteview.php?id='.$id.$newurl);
$smarty->assign_by_ref('views', $views);
......
......@@ -420,7 +420,7 @@ EOF;
$collection = Collection::current_collection();
$smarty->assign('COLLECTION', $collection);
$smarty->assign('SUBPAGENAV', $collection->get_menu_tabs());
$smarty->assign('PAGEHEADING', hsc($collection->get('name')));
$smarty->assign('PAGEHEADING', $collection->get('name'));
}
// ---------- sideblock stuff ----------
......
{auto_escape on}
{include file="header.tpl"}
{if !$form}
<div class="message">{$strnoviews|safe}</div>
......@@ -12,4 +11,4 @@
{$newform|safe}
{/if}
{include file="footer.tpl"}
{auto_escape off}
{auto_escape on}
{include file="header.tpl"}
<div class="message">
<h3>{$subheading|escape}</h3>
<h3>{$subheading}</h3>
<p>{$message}</p>
{$form|safe}
</div>
{include file="footer.tpl"}
{auto_escape off}
{auto_escape on}
{include file="header.tpl"}
<div>
{$form|safe}
</div>
{$form|safe}
{include file="footer.tpl"}
{auto_escape off}
{auto_escape on}
{include file="header.tpl"}
<div class="rbuttons">
<a class="btn btn-add" href="{$WWWROOT}collection/edit.php?new=1">{str section=collection tag=newcollection}</a>
......@@ -10,24 +9,24 @@
<tr class="{cycle values='r0,r1'}">
<td><div class="rel">
<h3><a href="{$WWWROOT}collection/about.php?id={$collection->id|safe}">{$collection->name|safe}</a></h3>
<h3><a href="{$WWWROOT}collection/about.php?id={$collection->id}">{$collection->name}</a></h3>
<div class="rbuttons"><a href="{$WWWROOT}collection/delete.php?id={$collection->id|safe}" class="btn-del">{str tag=delete}</a></div>
<div class="rbuttons"><a href="{$WWWROOT}collection/delete.php?id={$collection->id}" class="btn-del">{str tag=delete}</a></div>
<div class="vi">
<h4><a href="{$WWWROOT}collection/edit.php?id={$collection->id|safe}" id="editcollectiondetails">{str tag="edittitleanddesc" section="collection"}</a></h4>
<h4><a href="{$WWWROOT}collection/edit.php?id={$collection->id}" id="editcollectiondetails">{str tag="edittitleanddesc" section="collection"}</a></h4>
<div class="videsc">{$collection->description|safe}</div>
<div class="videsc">{$collection->description}</div>
</div>
<div class="vi">
<h4><a href="{$WWWROOT}collection/views.php?id={$collection->id|safe}" id="editcollectionviews">{str tag=manageviews section="collection"}</a></h4>
<h4><a href="{$WWWROOT}collection/views.php?id={$collection->id}" id="editcollectionviews">{str tag=manageviews section="collection"}</a></h4>
</div>
<div class="vi">
<h4><a href="{$WWWROOT}collection/access.php?id={$collection->id|safe}" id="editcollectionaccess">{str tag="editaccess" section="collection"}</a></h4>
<h4><a href="{$WWWROOT}collection/access.php?id={$collection->id}" id="editcollectionaccess">{str tag="editaccess" section="collection"}</a></h4>
{if $collection->masterid}
<div class="videsc">{str tag=currentmaster section=collection}: <a href="{$WWWROOT}view/view.php?id={$collection->masterid}">{$collection->mastertitle|safe}</a></div>
<div class="videsc">{str tag=currentmaster section=collection}: <a href="{$WWWROOT}view/view.php?id={$collection->masterid}">{$collection->mastertitle}</a></div>
{/if}
</div>
......@@ -41,4 +40,3 @@
<div class="message">{$strnocollectionsaddone|safe}</div>
{/if}
{include file="footer.tpl"}
{auto_escape off}
{auto_escape on}
{include file="header.tpl"}
<div class="group-info">
<div class="fr">
<ul class="groupuserstatus">
<li><a href="{$WWWROOT}collection/edit.php?id={$collection->id|safe}" class="btn-edit">{str tag=edit}</a></li>
<li><a href="{$WWWROOT}collection/delete.php?id={$collection->id|safe}" class="btn-del">{str tag=delete}</a></li>
<li><a href="{$WWWROOT}collection/edit.php?id={$collection->id}" class="btn-edit">{str tag=edit}</a></li>
<li><a href="{$WWWROOT}collection/delete.php?id={$collection->id}" class="btn-del">{str tag=delete}</a></li>
</ul>
</div>
<ul>
<li><div>{$collection->description|safe}</div></li>
<li><label>{str tag=created section=collection}: </label> {$collection->ctime|safe}</li>
<li><div>{$collection->description}</div></li>
<li><label>{str tag=created section=collection}: </label> {$collection->ctime}</li>
<li><label>{str tag=viewcount section=collection}: </label>
{if $collection->views}
{$collection->views|safe}
{$collection->views}
{else}
{str tag=none}
{/if}
</li>
<li><label>{str tag=accessmaster section=collection}: </label>
{if $collection->access}
<a href="{$WWWROOT}view/view.php?id={$collection->access->view|safe}">{$collection->access->title|safe}</a>
<a href="{$WWWROOT}view/view.php?id={$collection->access->view}">{$collection->access->title}</a>
{else}
{str tag=none}
{/if}
......@@ -27,4 +26,3 @@
</ul>
</div>
{include file="footer.tpl"}
{auto_escape off}
{auto_escape on}
{include file="header.tpl"}
{$newcollectionform|safe}
{include file="footer.tpl"}
{auto_escape off}
{auto_escape on}
{include file="header.tpl"}
{if !$views}
<div class="message">{str tag=noviews section=collection}</div>
......@@ -7,30 +6,30 @@
<tbody>
{foreach from=$views.views item=view}
<tr class="{cycle values='r0,r1'}">
<td><label><a href="{$WWWROOT}view/view.php?id={$view->view|safe}">{$view->title|safe}</a></label></td>
<td><label><a href="{$WWWROOT}view/view.php?id={$view->view}">{$view->title}</a></label></td>
{if $view->master == 1 && !$new}
<td>
{str tag=currentmaster section=collection}: <a href="{$WWWROOT}view/access.php?id={$view->view|safe}">{str tag=editviewaccess section=collection}</a>
{str tag=currentmaster section=collection}: <a href="{$WWWROOT}view/access.php?id={$view->view}">{str tag=editviewaccess section=collection}</a>
</td>
{else}
<td>&nbsp;</td>
{/if}
<td>&nbsp;</td>
<td><a href="{$removeurl|safe}&amp;view={$view->view|safe}">{str tag=remove}</a></td>
<td><a href="{$removeurl}&amp;view={$view->view}">{str tag=remove}</a></td>
{if $views.count > 1}
<td class="displayordercontrols">
{if $view->displayorder == $views.min}
<div id="viewdisplayorder_{$view->view|safe}">
<a href="{$displayurl|safe}&amp;view={$view->view|safe}&amp;direction=down"><img src="{theme_url filename='images/move-block-down.png'}" alt="" ></a>
<div id="viewdisplayorder_{$view->view}">
<a href="{$displayurl}&amp;view={$view->view}&amp;direction=down"><img src="{theme_url filename='images/move-block-down.png'}" alt="" ></a>
</div>
{elseif $view->displayorder == $views.max}
<div id="viewdisplayorder_{$view->view|safe}">
<a href="{$displayurl|safe}&amp;view={$view->view|safe}&amp;direction=up"><img src="{theme_url filename='images/move-block-up.png'}" alt="" ></a>
<div id="viewdisplayorder_{$view->view}">
<a href="{$displayurl}&amp;view={$view->view}&amp;direction=up"><img src="{theme_url filename='images/move-block-up.png'}" alt="" ></a>
</div>
{else}
<div id="viewdisplayorder_{$view->view}">
<a href="{$displayurl|safe}&amp;view={$view->view|safe}&amp;direction=up"><img src="{theme_url filename='images/move-block-up.png'}" alt="" ></a>
<a href="{$displayurl|safe}&amp;view={$view->view|safe}&amp;direction=down"><img src="{theme_url filename='images/move-block-down.png'}" alt="" ></a>
<a href="{$displayurl}&amp;view={$view->view}&amp;direction=up"><img src="{theme_url filename='images/move-block-up.png'}" alt="" ></a>
<a href="{$displayurl}&amp;view={$view->view}&amp;direction=down"><img src="{theme_url filename='images/move-block-down.png'}" alt="" ></a>
</div>
{/if}
</td>
......@@ -52,4 +51,3 @@
</fieldset>
{if $newform}{$newform|safe}{/if}
{include file="footer.tpl"}
{auto_escape off}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment