mirror of
https://github.com/alchemy-fr/Phraseanet.git
synced 2025-10-23 18:03:17 +00:00
PHRAS-2276 port to 4.1 template escape (#2819)
* fix escape lightbox * fix escape in admin connected-user * fix prod escaping * fix escaping in thesaurus * escape when rendered * escape in controller
This commit is contained in:
jygaulier
@@ -94,7 +94,7 @@
|
||||
<tbody>
|
||||
{% for session in data['sessions'] %}
|
||||
{% set row = session['session'] %}
|
||||
<tr title="{{ _self.tooltip_connected_users(row) | raw }}" class="{% if loop.index is odd %}odd{% else %}even{% endif %} usrTips" id="TREXP_{{ row.getId()}}">
|
||||
<tr title="{{ _self.tooltip_connected_users(row) | e }}" class="{% if loop.index is odd %}odd{% else %}even{% endif %} usrTips" id="TREXP_{{ row.getId()}}">
|
||||
|
||||
{% if row.getId() == app['session'].get('session_id') %}
|
||||
<td style="color:#ff0000"><i>{{ row.getUser().getDisplayName() }}</i></td>
|
||||
|
||||
@@ -51,7 +51,7 @@
|
||||
<tr>
|
||||
<td>
|
||||
<h2 class="title15">
|
||||
{{basket.getName()|raw}}
|
||||
{{basket.getName()|e}}
|
||||
</h2>
|
||||
{% if basket.getValidation().isFinished() %}
|
||||
{{ '(validation) session terminee' | trans }}
|
||||
@@ -116,7 +116,7 @@
|
||||
<tr>
|
||||
<td>
|
||||
<h2 class="title15">
|
||||
{{ basket.getName()|raw}}
|
||||
{{ basket.getName()|e}}
|
||||
</h2>
|
||||
</td>
|
||||
<td class="right">
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
<img src='/assets/common/images/icons/basket_push_unread.png' title=''/>
|
||||
{% endif %}
|
||||
<img src='/assets/common/images/icons/basket.png' title=''/>
|
||||
{{basket.getName()}}
|
||||
{{basket.getName()|e}}
|
||||
</span>
|
||||
</a>
|
||||
<div class="menu">
|
||||
@@ -99,7 +99,7 @@
|
||||
{% else %}
|
||||
<img src='/assets/common/images/icons/basket.png' title=''/>
|
||||
{% endif %}
|
||||
{{basket.getName()}}
|
||||
{{basket.getName()|e}}
|
||||
</span>
|
||||
</a>
|
||||
<div class="menu">
|
||||
|
||||
@@ -12,17 +12,17 @@
|
||||
<table>
|
||||
<tr>
|
||||
<td>
|
||||
<span class="name"><%= item.display_name %></span>
|
||||
<span class="name"><%= htmlEncode(item.display_name) %></span>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<span class="email"><i><%= item.email %></i></span>
|
||||
<span class="email"><i><%= htmlEncode(item.email) %></i></span>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<span class="subtite"><%= item.subtitle || '' %></span>
|
||||
<span class="subtite"><%= htmlEncode(item.subtitle) || '' %></span>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
@@ -47,7 +47,7 @@
|
||||
<table>
|
||||
<tr>
|
||||
<td>
|
||||
<span class="name"><%= item.name %></span>
|
||||
<span class="name"><%= htmlEncode(item.name) %></span>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
@@ -81,12 +81,12 @@
|
||||
<table>
|
||||
<tr>
|
||||
<td colspan="3">
|
||||
<span class="name"><%= user.display_name %></span>
|
||||
<span class="name"><%= htmlEncode(user.display_name) %></span>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td colspan="3">
|
||||
<span class="subtite"><%= user.subtitle || '' %></span>
|
||||
<span class="subtite"><%= htmlEncode(user.subtitle) || '' %></span>
|
||||
</td>
|
||||
</tr>
|
||||
<tr class="toggles">
|
||||
@@ -201,12 +201,12 @@
|
||||
<table>
|
||||
<tr>
|
||||
<td colspan="3">
|
||||
<span class="name"><%= user.display_name %></span>
|
||||
<span class="name"><%= htmlEncode(user.display_name) %></span>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td colspan="3">
|
||||
<span class="subtite"><%= user.subtitle || '' %></span>
|
||||
<span class="subtite"><%= htmlEncode(user.subtitle) || '' %></span>
|
||||
</td>
|
||||
</tr>
|
||||
<tr class="toggles">
|
||||
@@ -242,12 +242,12 @@
|
||||
<table>
|
||||
<tr>
|
||||
<td colspan="3">
|
||||
<span class="name"><%= user.display_name %></span>
|
||||
<span class="name"><%= htmlEncode(user.display_name) %></span>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td colspan="3">
|
||||
<span class="subtite"><%= user.subtitle || '' %></span>
|
||||
<span class="subtite"><%= htmlEncode(user.subtitle) || '' %></span>
|
||||
</td>
|
||||
</tr>
|
||||
<tr class="toggles">
|
||||
@@ -267,3 +267,22 @@
|
||||
</div>
|
||||
</script>
|
||||
|
||||
<script>
|
||||
function htmlEncode(str) {
|
||||
return str.replace(/[&"'<>]/g, function(c){
|
||||
switch (c)
|
||||
{
|
||||
case "&":
|
||||
return "&";
|
||||
case "'":
|
||||
return "'";
|
||||
case '"':
|
||||
return """;
|
||||
case "<":
|
||||
return "<";
|
||||
case ">":
|
||||
return ">";
|
||||
}
|
||||
});
|
||||
}
|
||||
</script>
|
||||
|
||||
@@ -16,11 +16,11 @@
|
||||
|
||||
{% if context %}
|
||||
{% set zterm %}
|
||||
{% trans with {'%term%' : term, '%context%' : context} %}thesaurus:: le terme %term% avec contexte %context%{% endtrans %}
|
||||
{% trans with {'%term%' : term | e, '%context%' : context | e} %}thesaurus:: le terme %term% avec contexte %context%{% endtrans %}
|
||||
{% endset %}
|
||||
{% else %}
|
||||
{% set zterm %}
|
||||
{% trans with {'%term%' : term} %}thesaurus:: le terme %term% sans contexte{% endtrans %}
|
||||
{% trans with {'%term%' : term | e} %}thesaurus:: le terme %term% sans contexte{% endtrans %}
|
||||
{% endset %}
|
||||
{% endif %}
|
||||
|
||||
|
||||
@@ -338,6 +338,8 @@
|
||||
for(var sy=syl.item(0).firstChild; sy; sy=sy.nextSibling )
|
||||
{
|
||||
var lng = sy.getAttribute("lng");
|
||||
var v = escapeHtmlDataFromXML(sy.getAttribute("v"));
|
||||
|
||||
html += "<tr>";
|
||||
if(lng)
|
||||
if(tFlags[lng])
|
||||
@@ -347,7 +349,7 @@
|
||||
else
|
||||
html += "<td><span style='background-color:#cccccc'> ? </span></td>";
|
||||
|
||||
html += "<td> "+sy.getAttribute("v")+"</td>";
|
||||
html += "<td> "+ v +"</td>";
|
||||
|
||||
var hits = 0+sy.getAttribute("hits");
|
||||
if(hits == 1)
|
||||
@@ -361,6 +363,12 @@
|
||||
return(html);
|
||||
}
|
||||
|
||||
// Let the browser to do it
|
||||
function escapeHtmlDataFromXML(data){
|
||||
var d = document.createElement('div');
|
||||
d.appendChild(document.createTextNode(data));
|
||||
return d.innerHTML;
|
||||
}
|
||||
|
||||
// ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
//
|
||||
|
||||
Reference in New Issue
Block a user