Escape output to prevent XSS injections (#3924)

Credit to @nathan-van-der-werf
2018-11-15 22:05:44 +01:00 · 2018-11-15 22:05:44 +01:00 · 6fb6211c56
parent 2b16bad0fe
commit 6fb6211c56
6 changed files with 6 additions and 6 deletions
--- a/modules/backend/behaviors/reordercontroller/partials/_records.htm
+++ b/modules/backend/behaviors/reordercontroller/partials/_records.htm
@ -7,7 +7,7 @@
    >
        <div class="record">
            <a href="javascript:;" class="move"></a>
-            <span><?= $this->reorderGetRecordName($record) ?></span>
+            <span><?= e($this->reorderGetRecordName($record)) ?></span>
            <input name="record_ids[]" type="hidden" value="<?= $record->getKey() ?>" />
        </div>

--- a/modules/backend/widgets/search/partials/_search.htm
+++ b/modules/backend/widgets/search/partials/_search.htm
@ -3,7 +3,7 @@
        placeholder="<?= $placeholder ?>"
        type="text"
        name="<?= $this->getName() ?>"
-        value="<?= $value ?>"
+        value="<?= e($value) ?>"
        data-request="<?= $this->getEventHandler('onSubmit') ?>"
        <?= !$searchOnEnter ? 'data-track-input' : '' ?>
        data-load-indicator
--- a/modules/system/controllers/maillayouts/update.htm
+++ b/modules/system/controllers/maillayouts/update.htm
@ -14,7 +14,7 @@
                <div data-control="toolbar">
                    <div class="scoreboard-item title-value">
                        <h4><?= e(trans('system::lang.mail_templates.layout')) ?></h4>
-                        <p><?= $formModel->code ?></p>
+                        <p><?= e($formModel->code) ?></p>
                    </div>
                </div>
            </div>
--- a/modules/system/controllers/mailpartials/update.htm
+++ b/modules/system/controllers/mailpartials/update.htm
@ -14,7 +14,7 @@
                <div data-control="toolbar">
                    <div class="scoreboard-item title-value">
                        <h4><?= e(trans('system::lang.mail_templates.partial')) ?></h4>
-                        <p><?= $formModel->code ?></p>
+                        <p><?= e($formModel->code) ?></p>
                    </div>
                </div>
            </div>
--- a/modules/system/controllers/mailtemplates/update.htm
+++ b/modules/system/controllers/mailtemplates/update.htm
@ -14,7 +14,7 @@
                <div data-control="toolbar">
                    <div class="scoreboard-item title-value">
                        <h4><?= e(trans('system::lang.mail_templates.template')) ?></h4>
-                        <p><?= $formModel->code ?></p>
+                        <p><?= e($formModel->code) ?></p>
                    </div>
                </div>
            </div>
--- a/modules/system/controllers/requestlogs/_referer_field.htm
+++ b/modules/system/controllers/requestlogs/_referer_field.htm
@ -2,7 +2,7 @@
    <div class="form-control control-simplelist with-icons">
        <ul>
            <?php foreach ((array) $formModel->referer as $referer): ?>
-                <li class="oc-icon-file-o"><?= $referer ?></li>
+                <li class="oc-icon-file-o"><?= e($referer) ?></li>
            <?php endforeach ?>
        </ul>
    </div>