diff options
37 files changed, 207 insertions, 260 deletions
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 2cb017d17..06be9243c 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -256,6 +256,11 @@ sub create { $var =~ s/\@/\@/g; return $var; }, + + # We force filtering of every variable in key security-critical + # places; we have a none filter for people to use when they + # really, really don't want a variable to be changed. + none => sub { return $_[0]; } , }, PLUGIN_BASE => 'Bugzilla::Template::Plugin', diff --git a/checksetup.pl b/checksetup.pl index b7cffb05d..4f7985d9a 100755 --- a/checksetup.pl +++ b/checksetup.pl @@ -1078,6 +1078,7 @@ END csv => sub { return $_; }, time => sub { return $_; }, obscure_email => sub { return $_; }, + none => sub { return $_; } , }, }) || die ("Could not create Template Provider: " . Template::Provider->error() . "\n"); diff --git a/t/004template.t b/t/004template.t index 725241426..78d58edd5 100644 --- a/t/004template.t +++ b/t/004template.t @@ -99,6 +99,7 @@ foreach my $include_path (@include_paths) { csv => sub { return $_ } , time => sub { return $_ } , obscure_email => sub { return $_ } , + none => sub { return $_ } , }, } ); diff --git a/t/008filter.t b/t/008filter.t index 3bf7f3fd1..8b8b36d5c 100644 --- a/t/008filter.t +++ b/t/008filter.t @@ -199,7 +199,7 @@ sub directive_ok { # Note: If a single directive prints two things, and only one is # filtered, we may not catch that case. return 1 if $directive =~ /FILTER\ (html|csv|js|url_quote|css_class_quote| - quoteUrls|time|uri|xml|lower)/x; + quoteUrls|time|uri|xml|lower|none)/x; return 0; } diff --git a/template/en/default/account/prefs/account.html.tmpl b/template/en/default/account/prefs/account.html.tmpl index 798bb8e40..70190048a 100644 --- a/template/en/default/account/prefs/account.html.tmpl +++ b/template/en/default/account/prefs/account.html.tmpl @@ -74,7 +74,7 @@ </tr> <tr> <th align="right">Change request expires:</th> - <td>[% login_change_date %]</td> + <td>[% login_change_date FILTER time %]</td> </tr> [% ELSE %] <tr> @@ -83,7 +83,7 @@ </tr> <tr> <th align="right">Completion date:</th> - <td>[% login_change_date %]</td> + <td>[% login_change_date FILTER time %]</td> </tr> [% END %] [% ELSE %] diff --git a/template/en/default/account/prefs/email.html.tmpl b/template/en/default/account/prefs/email.html.tmpl index fa6295e72..24853a726 100644 --- a/template/en/default/account/prefs/email.html.tmpl +++ b/template/en/default/account/prefs/email.html.tmpl @@ -57,7 +57,8 @@ <tr> <th align="right">Users to watch:</th> <td> - <input size="35" name="watchedusers" value="[% watchedusers %]"> + <input size="35" name="watchedusers" + value="[% watchedusers FILTER html %]"> </td> </tr> [% END %] diff --git a/template/en/default/admin/flag-type/confirm-delete.html.tmpl b/template/en/default/admin/flag-type/confirm-delete.html.tmpl index 6bf1ca43f..ddd99d7ca 100644 --- a/template/en/default/admin/flag-type/confirm-delete.html.tmpl +++ b/template/en/default/admin/flag-type/confirm-delete.html.tmpl @@ -29,7 +29,7 @@ %] <p> - There are [% flag_count %] flags of type [% name %]. + There are [% flag_count %] flags of type [% name FILTER html %]. If you delete this type, those flags will also be deleted. Note that instead of deleting the type you can <a href="editflagtypes.cgi?action=deactivate&id=[% flag_type.id %]">deactivate it</a>, diff --git a/template/en/default/admin/flag-type/edit.html.tmpl b/template/en/default/admin/flag-type/edit.html.tmpl index a56c3bb65..58519466d 100644 --- a/template/en/default/admin/flag-type/edit.html.tmpl +++ b/template/en/default/admin/flag-type/edit.html.tmpl @@ -67,10 +67,10 @@ <input type="hidden" name="id" value="[% type.id %]"> <input type="hidden" name="target_type" value="[% type.target_type %]"> [% FOREACH category = type.inclusions %] - <input type="hidden" name="inclusions" value="[% category %]"> + <input type="hidden" name="inclusions" value="[% category FILTER html %]"> [% END %] [% FOREACH category = type.exclusions %] - <input type="hidden" name="exclusions" value="[% category %]"> + <input type="hidden" name="exclusions" value="[% category FILTER html %]"> [% END %] <table id="form" cellspacing="0" cellpadding="4" border="0"> @@ -105,13 +105,17 @@ <select name="product" onchange="selectProduct(this.form, 'product', 'component', '__Any__');"> <option value="">__Any__</option> [% FOREACH item = products %] - <option value="[% item %]" [% "selected" IF type.product.name == item %]>[% item %]</option> + <option value="[% item FILTER html %]" + [% "selected" IF type.product.name == item %]> + [% item FILTER html %]</option> [% END %] </select><br> <select name="component"> <option value="">__Any__</option> [% FOREACH item = components %] - <option value="[% item %]" [% "selected" IF type.component.name == item %]>[% item %]</option> + <option value="[% item FILTER html %]" + [% "selected" IF type.component.name == item %]> + [% item FILTER html %]</option> [% END %] </select><br> <input type="submit" name="categoryAction" value="Include"> @@ -186,7 +190,10 @@ <tr> <th></th> <td> - <input type="submit" value="[% (last_action == "enter" || last_action == "copy") ? "Create" : "Save Changes" %]"> + <input type="submit" value=" + [% IF (last_action == "enter" || last_action == "copy") %]Create + [% ELSE %]Save Changes + [% END %]"> </td> </tr> diff --git a/template/en/default/admin/flag-type/list.html.tmpl b/template/en/default/admin/flag-type/list.html.tmpl index 0e3306d27..80764d613 100644 --- a/template/en/default/admin/flag-type/list.html.tmpl +++ b/template/en/default/admin/flag-type/list.html.tmpl @@ -92,7 +92,7 @@ [% FOREACH type = types %] - <tr class="[% type.is_active ? "active" : "inactive" %]"> + <tr class="[% IF type.is_active %]active[% ELSE %]inactive[% END %]"> <td><a href="editflagtypes.cgi?action=edit&id=[% type.id %]">[% type.name FILTER html %]</a></td> <td>[% type.description FILTER html %]</td> <td> diff --git a/template/en/default/attachment/list.html.tmpl b/template/en/default/attachment/list.html.tmpl index 163071997..1e3618093 100644 --- a/template/en/default/attachment/list.html.tmpl +++ b/template/en/default/attachment/list.html.tmpl @@ -53,13 +53,13 @@ [% IF attachment.flags.size == 0 %] <i>none</i> [% ELSE %] - [% FOR flag = attachment.flags %] + [% FOREACH flag = attachment.flags %] [% IF flag.setter %] [% flag.setter.nick FILTER html %]: [% END %] - [%+ flag.type.name %][% flag.status %] + [%+ flag.type.name FILTER html %][% flag.status %] [%+ IF flag.status == "?" && flag.requestee %] - ([% flag.requestee.nick %]) + ([% flag.requestee.nick FILTER html %]) [% END %]<br> [% END %] [% END %] diff --git a/template/en/default/bug/activity/table.html.tmpl b/template/en/default/bug/activity/table.html.tmpl index ec005cc38..af6305b5d 100644 --- a/template/en/default/bug/activity/table.html.tmpl +++ b/template/en/default/bug/activity/table.html.tmpl @@ -60,7 +60,7 @@ [% FOREACH operation = operations %] <tr> <td rowspan="[% operation.changes.size %]" valign="top"> - [% operation.who %] + [% operation.who FILTER html %] </td> <td rowspan="[% operation.changes.size %]" valign="top"> [% operation.when FILTER time %] diff --git a/template/en/default/bug/create/create-guided.html.tmpl b/template/en/default/bug/create/create-guided.html.tmpl index fb5828fe8..7e0220b85 100644 --- a/template/en/default/bug/create/create-guided.html.tmpl +++ b/template/en/default/bug/create/create-guided.html.tmpl @@ -224,7 +224,8 @@ function PutDescription() { The area where the problem occurs. To pick the right component, you could use the same one as similar [% terms.bugs %] you found in your search, or read the full list of - <a href="describecomponents.cgi?product=[% product %]">component + <a href="describecomponents.cgi?product= + [% product FILTER url_quote %]">component descriptions</a> if you need more help. </p> diff --git a/template/en/default/bug/create/create.html.tmpl b/template/en/default/bug/create/create.html.tmpl index 14ce27180..b15efffac 100644 --- a/template/en/default/bug/create/create.html.tmpl +++ b/template/en/default/bug/create/create.html.tmpl @@ -171,7 +171,8 @@ function set_assign_to() { <td colspan="2"></td> </tr> [% ELSE %] - <input type="hidden" name="bug_status" value="[% default.bug_status %]"> + <input type="hidden" name="bug_status" + value="[% default.bug_status FILTER html %]"> [% END %] <tr> diff --git a/template/en/default/bug/dependency-tree.html.tmpl b/template/en/default/bug/dependency-tree.html.tmpl index 194691e56..16f68b394 100644 --- a/template/en/default/bug/dependency-tree.html.tmpl +++ b/template/en/default/bug/dependency-tree.html.tmpl @@ -32,8 +32,14 @@ [% PROCESS depthControlToolbar %] [%# Display the tree of bugs that this bug depends on. %] -<h3>[% hide_resolved ? "Open $terms.bugs" : "$terms.Bugs" %] - that <a href="show_bug.cgi?id=[% bugid %]">[% terms.bug %] [% bugid %]</a> depends on</h3> +<h3> + [% IF hide_resolved %] + Open [% terms.bugs %] + [% ELSE %] + [% terms.Bugs %] + [% END %] + that <a href="show_bug.cgi?id=[% bugid %]">[% terms.bug %] [% bugid %]</a> + depends on</h3> [% IF dependson_ids.size > 0 %] ( [% IF maxdepth -%]Up to [% maxdepth %] level[% "s" IF maxdepth > 1 %] deep | [% END %] @@ -48,8 +54,14 @@ [% END %] [%# Display the tree of bugs that this bug blocks. %] -<h3>[% hide_resolved ? "Open $terms.bugs" : "$terms.Bugs" %] - that <a href="show_bug.cgi?id=[% bugid %]">[% terms.bug %] [% bugid %]</a> blocks</h3> +<h3> + [% IF hide_resolved %] + Open [% terms.bugs %] + [% ELSE %] + [% terms.Bugs %] + [% END %] + that <a href="show_bug.cgi?id=[% bugid %]">[% terms.bug %] [% bugid %]</a> + blocks</h3> [% IF blocked_ids.size > 0 %] ( [% IF maxdepth -%]Up to [% maxdepth %] level[% "s" IF maxdepth > 1 %] deep | [% END %] @@ -112,7 +124,8 @@ <input name="maxdepth" type="hidden" value="[% maxdepth %]"> [% END %] <input type="hidden" name="hide_resolved" value="[% hide_resolved ? 0 : 1 %]"> - <input type="submit" value="[% hide_resolved ? "Show" : "Hide" %] Resolved"> + <input type="submit" + value="[% IF hide_resolved %]Show[% ELSE %]Hide[% END %] Resolved"> </form> </td> @@ -128,9 +141,8 @@ <form method="get" action="showdependencytree.cgi" style="display: inline; margin: 0px;"> [%# set to one form %] - <input type="submit" value=" 1 " [% - realdepth < 2 || maxdepth == 1 ? "disabled" : "" - %]> + <input type="submit" value=" 1 " + [% "disabled" IF realdepth < 2 || maxdepth == 1 %]> <input name="id" type="hidden" value="[% bugid %]"> <input name="maxdepth" type="hidden" value="1"> <input name="hide_resolved" type="hidden" value="[% hide_resolved %]"> @@ -148,9 +160,8 @@ : ( maxdepth ? maxdepth - 1 : realdepth - 1 ) %]"> <input name="hide_resolved" type="hidden" value="[% hide_resolved %]"> - <input type="submit" value=" < " [% - realdepth < 2 || ( maxdepth && maxdepth < 2 ) ? "disabled" : "" - %]> + <input type="submit" value=" < " + [% "disabled" IF realdepth < 2 || ( maxdepth && maxdepth < 2 ) %]> </form> </td> @@ -165,7 +176,7 @@ <input name="id" type="hidden" value="[% bugid %]"> <input name="hide_resolved" type="hidden" value="[% hide_resolved %]"> <noscript> - <input type="submit" value="Change" [% realdepth < 2 ? "disabled" : "" %]> + <input type="submit" value="Change" [% "disabled" IF realdepth < 2 %]> </noscript> </form> </td> @@ -180,10 +191,9 @@ <input name="maxdepth" type="hidden" value="[% maxdepth + 1 %]"> [% END %] <input name="hide_resolved" type="hidden" value="[% hide_resolved %]"> - <input type="submit" value=" > " [% - realdepth < 2 || ! maxdepth || maxdepth >= realdepth ? - "disabled" : "" - %]> + <input type="submit" value=" > " + [% "disabled" IF realdepth < 2 || !maxdepth || maxdepth >= realdepth %] + %]> </form> </td> @@ -194,7 +204,7 @@ <input name="id" type="hidden" value="[% bugid %]"> <input name="hide_resolved" type="hidden" value="[% hide_resolved %]"> <input type="submit" value=" Unlimited " - [% maxdepth == 0 || maxdepth == realdepth ? "disabled" : "" %]> + [% "disabled" IF maxdepth == 0 || maxdepth == realdepth %]> </form> </td> </tr> diff --git a/template/en/default/bug/process/bugmail.html.tmpl b/template/en/default/bug/process/bugmail.html.tmpl index 631842a40..1e9c13abe 100644 --- a/template/en/default/bug/process/bugmail.html.tmpl +++ b/template/en/default/bug/process/bugmail.html.tmpl @@ -61,10 +61,10 @@ [%############################################################################%] [% BLOCK emails %] - <b>[% description %]:</b> + <b>[% description FILTER html %]:</b> [% IF names.size > 0 %] [%+ FOREACH name = names %] - [% name %][% ", " UNLESS loop.last() %] + [% name FILTER html %][% ", " UNLESS loop.last() %] [% END %] [% ELSE %] no one diff --git a/template/en/default/bug/process/verify-new-product.html.tmpl b/template/en/default/bug/process/verify-new-product.html.tmpl index fd37707dc..b3e6af250 100644 --- a/template/en/default/bug/process/verify-new-product.html.tmpl +++ b/template/en/default/bug/process/verify-new-product.html.tmpl @@ -48,11 +48,13 @@ <p> [% IF use_target_milestone %] - You are moving the [% terms.bug %](s) to the product <b>[% form.product %]</b>, + You are moving the [% terms.bug %](s) to the product + <b>[% form.product FILTER html %]</b>, and the version, component, and/or target milestone fields are no longer correct. Please set the correct version, component, and target milestone now: [% ELSE %] - You are moving the [% terms.bug %](s) to the product <b>[% form.product %]</b>, + You are moving the [% terms.bug %](s) to the product + <b>[% form.product FILTER html %]</b>, and the version and component fields are no longer correct. Please set the correct version and component now: [% END %] diff --git a/template/en/default/bug/show-multiple.html.tmpl b/template/en/default/bug/show-multiple.html.tmpl index bda5e4f91..340a0ebf8 100644 --- a/template/en/default/bug/show-multiple.html.tmpl +++ b/template/en/default/bug/show-multiple.html.tmpl @@ -97,7 +97,7 @@ <tr> <td colspan="2"> <b>Component:</b> - [% bug.component %] + [% bug.component FILTER html %] </td> <td colspan="2"> @@ -190,7 +190,7 @@ [% BLOCK cell %] <td> - <b>[% attr.description%]:</b> + <b>[% attr.description FILTER html %]:</b> [% bug.${attr.name} FILTER html %] </td> [% END %] diff --git a/template/en/default/bug/votes/list-for-user.html.tmpl b/template/en/default/bug/votes/list-for-user.html.tmpl index bcb5956ea..1505713ff 100644 --- a/template/en/default/bug/votes/list-for-user.html.tmpl +++ b/template/en/default/bug/votes/list-for-user.html.tmpl @@ -21,9 +21,9 @@ [% PROCESS global/variables.none.tmpl %] +[% h2 = voting_user.login FILTER html %] [% PROCESS global/header.html.tmpl title = "Show Votes" - h2 = voting_user.name %] [% canedit = 1 IF voting_user.login == user.login %] diff --git a/template/en/default/filterexceptions.pl b/template/en/default/filterexceptions.pl index a1f0a89f2..afe3ef487 100644 --- a/template/en/default/filterexceptions.pl +++ b/template/en/default/filterexceptions.pl @@ -33,17 +33,7 @@ # Safe vmethods - [% foo.size %] # TT loop variables - [% loop.count %] # Already-filtered stuff - [% wibble FILTER html %] -# where the filter is one of html|csv|js|url_quote|quoteUrls|time|uri|xml - -# Key: -# -# "#": directive should be filtered, but not doing so is not a security hole -# The plan is to come back and add filtering for all those marked "#" after -# the security release. -# -# "# Email": as above; but noting that it's an email address. -# Other sorts of comments denote cleanups noticed while doing this work; -# they should be fixed in the very short term. +# where the filter is one of html|csv|js|url_quote|quoteUrls|time|uri|xml|none %::safe = ( @@ -80,19 +70,6 @@ 'field.accesskey', 'sel.name', 'sel.accesskey', - 'button_name', # -], - -'search/knob.html.tmpl' => [ - 'button_name', # -], - -'search/search-report-graph.html.tmpl' => [ - 'button_name', # -], - -'search/search-report-table.html.tmpl' => [ - 'button_name', # ], 'search/search-specific.html.tmpl' => [ @@ -115,19 +92,11 @@ 'reports/components.html.tmpl' => [ 'numcols', 'comp.description', - 'comp.initialowner', # email address - 'comp.initialqacontact', # email address -], - -'reports/duplicates-simple.html.tmpl' => [ - 'title', # ], 'reports/duplicates-table.html.tmpl' => [ '"&maxrows=$maxrows" IF maxrows', '"&changedsince=$changedsince" IF changedsince', - '"&product=$product" IF product', # - '"&format=$format" IF format', # '"&bug_id=$bug_ids_string&sortvisible=1" IF sortvisible', 'column.name', 'column.description', @@ -135,10 +104,6 @@ 'bug.id', 'bug.count', 'bug.delta', - 'bug.component', # - 'bug.bug_severity', # - 'bug.op_sys', # - 'bug.target_milestone', # ], 'reports/duplicates.html.tmpl' => [ @@ -154,11 +119,9 @@ ], 'reports/report-table.csv.tmpl' => [ - '"$tbl_field_disp: $tbl\n" IF tbl_field', # - 'row_field_disp IF row_field', # - 'col_field_disp', # 'num_bugs', 'data.$tbl.$col.$row', + 'title', '', # This is not a bug in the filter exceptions - this template has an # empty directive which is necessary for it to work properly. ], @@ -168,7 +131,6 @@ '"&$tbl_vals" IF tbl_vals', '"&$col_vals" IF col_vals', '"&$row_vals" IF row_vals', - 'tbl_disp', # 'classes.$row_idx.$col_idx', 'urlbase', 'data.$tbl.$col.$row', @@ -178,16 +140,12 @@ ], 'reports/report.html.tmpl' => [ - 'tbl_field_disp IF tbl_field', # - 'row_field_disp IF row_field', # - 'col_field_disp', # 'imagebase', 'width', 'height', 'imageurl', 'formaturl', 'other_format.name', - 'other_format.description', # 'sizeurl', 'switchbase', 'format', @@ -233,7 +191,6 @@ 'list/change-columns.html.tmpl' => [ 'column', - 'field_descs.${column} || column', # ], 'list/edit-multiple.html.tmpl' => [ @@ -250,7 +207,6 @@ 'list/list.html.tmpl' => [ 'buglist', - 'bugowners', # email address ], 'list/list.rdf.tmpl' => [ @@ -260,7 +216,6 @@ ], 'list/table.html.tmpl' => [ - 'abbrev.$id.title || field_descs.$id || column.title', # 'tableheader', 'bug.bug_id', ], @@ -287,19 +242,12 @@ 'proddesc.$p', ], +# You are not permitted to add any values here. Everything in this file should +# be filtered unless there's an extremely good reason why not, in which case, +# use the "none" dummy filter. 'global/code-error.html.tmpl' => [ - 'parameters', - 'bug.bug_id', - 'field', - 'argument', # - 'function', # - 'bug_id', # Need to remove unused error no_bug_data - 'variables.id', - 'template_error_msg', # Should move filtering from CGI.pl to template - 'error', - 'error_message', ], - + 'global/header.html.tmpl' => [ 'javascript', 'style', @@ -313,49 +261,27 @@ ], 'global/messages.html.tmpl' => [ - 'parameters', - '# ---', # Work out what this is - 'namedcmd', # - 'old_email', # email address - 'new_email', # email address 'message_tag', 'series.frequency * 2', ], 'global/select-menu.html.tmpl' => [ 'options', - 'onchange', # Again, need to be certain where we are filtering 'size', ], 'global/useful-links.html.tmpl' => [ 'email', - 'user.login', # Email address ], -# Need to change this and code-error to use a no-op filter, for safety +# You are not permitted to add any values here. Everything in this file should +# be filtered unless there's an extremely good reason why not, in which case, +# use the "none" dummy filter. 'global/user-error.html.tmpl' => [ - 'disabled_reason', - 'bug_link', - 'action', # - 'bug_id', - 'both', - 'filesize', - 'attach_id', - 'field', - 'field_descs.$field', - 'today', - 'product', # - 'max', - 'votes', - 'error_message', ], 'global/confirm-user-match.html.tmpl' => [ - '# use the global field descs', # Need to fix commenting style here 'script', - '# this is messy to allow later expansion', - '# ELSIF for things that don\'t belong in the field_descs hash here', 'fields.${field_name}.flag_type.name', ], @@ -381,22 +307,16 @@ ], 'bug/dependency-tree.html.tmpl' => [ - 'hide_resolved ? "Open $terms.bugs" : "$terms.Bugs"', 'bugid', 'maxdepth', 'dependson_ids.join(",")', 'blocked_ids.join(",")', 'dep_id', 'hide_resolved', - 'realdepth < 2 ? "disabled" : ""', 'maxdepth + 1', - 'maxdepth == 0 || maxdepth == realdepth ? "disabled" : ""', - 'realdepth < 2 || ( maxdepth && maxdepth < 2 ) ? "disabled" : ""', 'maxdepth > 0 && maxdepth <= realdepth ? maxdepth : ""', 'maxdepth == 1 ? 1 : ( maxdepth ? maxdepth - 1 : realdepth - 1 )', - 'realdepth < 2 || ! maxdepth || maxdepth >= realdepth ? - "disabled" : ""', ], 'bug/edit.html.tmpl' => [ @@ -425,8 +345,6 @@ 'bug/show-multiple.html.tmpl' => [ 'bug.bug_id', - 'bug.component', # - 'attr.description', # ], 'bug/show.xml.tmpl' => [ @@ -454,7 +372,6 @@ 'product.total', 'product.maxvotes', ], -# h2 = voting_user.name # Email 'bug/process/confirm-duplicate.html.tmpl' => [ 'original_bug_id', @@ -474,21 +391,11 @@ 'id', ], -'bug/process/verify-new-product.html.tmpl' => [ - 'form.product', # -], - -'bug/process/bugmail.html.tmpl' => [ - 'description', - 'name', # Email -], - 'bug/create/comment.txt.tmpl' => [ 'form.comment', ], 'bug/create/create.html.tmpl' => [ - 'default.bug_status', # 'g.bit', 'g.description', 'sel.name', @@ -498,7 +405,6 @@ 'bug/create/create-guided.html.tmpl' => [ 'matches.0', 'tablecolour', - 'product', # 'buildid', 'sel', ], @@ -508,7 +414,6 @@ ], 'bug/activity/table.html.tmpl' => [ - 'operation.who', # Email 'change.attachid', 'change.field', ], @@ -532,10 +437,7 @@ 'attachment/list.html.tmpl' => [ 'attachment.attachid', - 'FOR flag = attachment.flags', # Bug? No FOR directive - 'flag.type.name', 'flag.status', - 'flag.requestee.nick', # Email 'bugid', ], @@ -585,7 +487,6 @@ 'admin/flag-type/confirm-delete.html.tmpl' => [ 'flag_count', - 'name', # 'flag_type.id', ], @@ -593,10 +494,7 @@ 'action', 'type.id', 'type.target_type', - 'category', # - 'item', # 'type.sortkey || 1', - '(last_action == "enter" || last_action == "copy") ? "Create" : "Save Changes"', 'typeLabelLowerPlural', 'typeLabelLowerSingular', ], @@ -610,12 +508,7 @@ 'target', ], -'account/prefs/account.html.tmpl' => [ - 'login_change_date', # -], - 'account/prefs/email.html.tmpl' => [ - 'watchedusers', # Email 'role', 'reason.name', 'reason.description', @@ -634,5 +527,3 @@ ], ); - -# Should filter reports/report.html.tmpl:130 $format diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl index 60ae95043..939c0c4dc 100644 --- a/template/en/default/global/code-error.html.tmpl +++ b/template/en/default/global/code-error.html.tmpl @@ -28,6 +28,9 @@ [%# This is a list of all the possible code errors. Please keep them in # alphabetical order by error tag, and leave a blank line between errors. + # + # Note that you must explicitly filter every single template variable + # in this file; if you do not wish to change it, use the "none" filter. #%] [% PROCESS global/variables.none.tmpl %] @@ -35,14 +38,7 @@ [% DEFAULT title = "Internal Error" %] [% error_message = BLOCK %] - [% IF error == "aaa_example_error_tag" %] - [% title = "Example Error" %] - This is an example error. The title is set above. This text is the body - of the error. It can contain arbitrary <b>HTML</b>, and also references - to any [% parameters %] which you may have set before calling - ThrowCodeError. - - [% ELSIF error == "action_unrecognized" %] + [% IF error == "action_unrecognized" %] I don't recognize the value (<em>[% variables.action FILTER html %]</em>) of the <em>action</em> variable. @@ -61,8 +57,8 @@ An authorization handler return value was not handled by the login code. [% ELSIF error == "bug_error" %] - Trying to retrieve [% terms.bug %] [%+ bug.bug_id %] returned the error - [% bug.error FILTER html %] + Trying to retrieve [% terms.bug %] [%+ bug.bug_id FILTER html %] returned + the error [% bug.error FILTER html %]. [% ELSIF error == "chart_data_not_generated" %] The tool which gathers [% terms.bug %] counts has not been run yet. @@ -82,7 +78,7 @@ Run checksetup.pl for installation instructions. [% ELSIF error == "field_type_mismatch" %] - Cannot seem to handle <code>[% field %]</code> + Cannot seem to handle <code>[% field FILTER html %]</code> and <code>[% type FILTER html %]</code> together. [% ELSIF error == "gd_not_installed" %] @@ -107,8 +103,8 @@ '[% bit FILTER html %]'. [% ELSIF error == "bad_arg" %] - Bad argument <code>[% argument %]</code> sent to - <code>[% function %]</code> function. + Bad argument <code>[% argument FILTER html %]</code> sent to + <code>[% function FILTER html %]</code> function. [% ELSIF error == "invalid_attach_id_to_obsolete" %] The attachment number of one of the attachments you wanted to obsolete, @@ -145,11 +141,8 @@ but you tried to flag it as obsolete while creating a new attachment to [% terms.bug %] [%+ my_bug_id FILTER html %]. - [% ELSIF error == "no_bug_data" %] - No data when fetching [% terms.bug %] [%+ bug_id %]. - [% ELSIF error == "flag_nonexistent" %] - There is no flag with ID #[% variables.id %]. + There is no flag with ID #[% variables.id FILTER html %]. [% ELSIF error == "flag_status_invalid" %] The flag status <em>[% variables.status FILTER html %]</em> is invalid. @@ -166,7 +159,7 @@ a positive integer. [% ELSIF error == "flag_type_nonexistent" %] - There is no flag type with the ID <em>[% variables.id %]</em>. + There is no flag type with the ID <em>[% variables.id FILTER html %]</em>. [% ELSIF error == "flag_type_product_nonexistent" %] The product <em>[% variables.product FILTER html %]</em> does not exist. @@ -212,7 +205,7 @@ Something is seriously wrong with the token generation system. [% ELSIF error == "template_error" %] - [% template_error_msg %] + [% template_error_msg FILTER html %] [% ELSIF error == "unable_to_retrieve_password" %] I was unable to retrieve your old password from the database. @@ -238,9 +231,9 @@ [% ELSE %] [%# Give sensible error if error functions are used incorrectly. #%] - You are using [% terms.Bugzilla %]'s ThrowCodeError() function incorrectly. You - passed in the string '[% error %]'. The correct use is to pass - in a tag, and define that tag in the file code-error.html.tmpl.<br> + You are using [% terms.Bugzilla %]'s ThrowCodeError() function incorrectly. + You passed in the string '[% error FILTER html %]'. The correct use is to + pass in a tag, and define that tag in the file code-error.html.tmpl.<br> <br> If you are a [% terms.Bugzilla %] end-user seeing this message, please save this page and send it to [% Param('maintainer') %]. @@ -267,7 +260,7 @@ <tr> <td bgcolor="#ff0000"> <font size="+2"> - [% error_message %] + [% error_message FILTER none %] </font> </td> </tr> diff --git a/template/en/default/global/confirm-user-match.html.tmpl b/template/en/default/global/confirm-user-match.html.tmpl index 037f7385c..ec4c4f150 100644 --- a/template/en/default/global/confirm-user-match.html.tmpl +++ b/template/en/default/global/confirm-user-match.html.tmpl @@ -38,7 +38,7 @@ # self-referential URL #%] -[% # use the global field descs %] +[%# use the global field descs %] [% PROCESS "global/field-descs.none.tmpl" %] [% IF matchsuccess == 1 %] @@ -74,7 +74,7 @@ </td> </tr> - [% # this is messy to allow later expansion %] + [%# this is messy to allow later expansion %] [% FOREACH field = matches %] <tr> @@ -173,7 +173,7 @@ [% IF field_descs.${field_name} %] [% field_descs.${field_name} FILTER html -%] - [%- # ELSIF for things that don't belong in the field_descs hash here -%] + [%-# ELSIF for things that don't belong in the field_descs hash here -%] [% ELSIF field_name.match("^requestee") %] [% fields.${field_name}.flag_type.name %] requestee diff --git a/template/en/default/global/messages.html.tmpl b/template/en/default/global/messages.html.tmpl index e8aa8047f..e84e9747d 100644 --- a/template/en/default/global/messages.html.tmpl +++ b/template/en/default/global/messages.html.tmpl @@ -28,21 +28,15 @@ [% message_tag = message %] [% message = BLOCK %] - [% IF message_tag == "aaa_example_message_tag" %] - [% title = "Example Message" %] - This is an example message. The title is set above. This text is the body - of the message. It can contain arbitrary <b>HTML</b>, and also references - to any [% parameters %] which you may have set. - - [% ELSIF message_tag == "buglist_adding_field" %] + [% IF message_tag == "buglist_adding_field" %] [% title = "Adding field to query page..." %] [% link = "Click here if the page does not redisplay automatically." %] - [% # --- %] [% ELSIF message_tag == "buglist_load_named_query" %] - [% title = BLOCK %]Loading your query named [% namedcmd %][% END %] + [% title = BLOCK %] + Loading your query named [% namedcmd FILTER html %] + [% END %] [% link = "Click here if the page does not redisplay automatically." %] - [% # --- %] [% ELSIF message_tag == "buglist_updated_named_query" %] OK, your query named <code>[% queryname FILTER html %]</code> is updated. @@ -81,8 +75,9 @@ [% ELSIF message_tag == "email_change_cancelled_reinstated" %] [% title = "Cancel Request to Change Email Address" %] The request to change the email address for the - [% old_email %] account to [% new_email %] has been cancelled. - Your old account settings have been reinstated. + [% old_email FILTER html %] account to + [% new_email FILTER html %] has been cancelled. + Your old account settings have been reinstated. [% ELSIF message_tag == "logged_out" %] [% title = "Logged Out" %] diff --git a/template/en/default/global/select-menu.html.tmpl b/template/en/default/global/select-menu.html.tmpl index 7b7fddb29..f1768d0d5 100644 --- a/template/en/default/global/select-menu.html.tmpl +++ b/template/en/default/global/select-menu.html.tmpl @@ -44,7 +44,7 @@ [% options_type = BLOCK %][% options %][% END %] <select name="[% name FILTER html %]" - [% IF onchange %]onchange="[% onchange %]"[% END %] + [% IF onchange %]onchange="[% onchange FILTER html %]"[% END %] [% IF multiple %] multiple [% IF size %] size="[% size %]" [% END %] [% END %]> [% IF options_type.search("ARRAY") %] [% FOREACH value = options %] diff --git a/template/en/default/global/useful-links.html.tmpl b/template/en/default/global/useful-links.html.tmpl index 889a5091a..135dad987 100644 --- a/template/en/default/global/useful-links.html.tmpl +++ b/template/en/default/global/useful-links.html.tmpl @@ -73,7 +73,8 @@ [% ' | <a href="sanitycheck.cgi">Sanity check</a>' IF user.groups.tweakparams %] - | <a href="relogin.cgi">Log out</a> [% user.login %] + | <a href="relogin.cgi">Log out</a> + [% user.login FILTER html %] </td> </tr> diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index de5d60c6c..b1cf46ecb 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -27,6 +27,9 @@ [%# This is a list of all the possible user errors. Please keep them in # alphabetical order by error tag, and leave a blank line between errors. + # + # Note that you must explicitly filter every single template variable + # in this file; if you do not wish to change it, use the "none" filter. #%] [% PROCESS global/variables.none.tmpl %] @@ -44,7 +47,7 @@ [% ELSIF error == "account_disabled" %] [% title = "Account Disabled" %] - [% disabled_reason %] + [% disabled_reason FILTER none %] <hr> If you believe your account should be restored, please send email to [% Param("maintainer") %] explaining why. @@ -72,7 +75,7 @@ [% ELSIF error == "alias_in_use" %] [% title = "Alias In Use" %] - [% bug_link %] has already taken the alias + [% bug_link FILTER none %] has already taken the alias <em>[% alias FILTER html %]</em>. Please choose another one. [% ELSIF error == "alias_is_numeric" %] @@ -95,7 +98,7 @@ [% ELSIF error == "authorization_failure" %] [% title = "Authorization Failed" %] - You are not allowed to [% action %]. + You are not allowed to [% action FILTER html %]. [% ELSIF error == "attachment_access_denied" %] [% title = "Access Denied" %] @@ -103,13 +106,14 @@ [% ELSIF error == "bug_access_denied" %] [% title = "Access Denied" %] - You are not authorized to access [% terms.bug %] #[% bug_id %]. + You are not authorized to access [% terms.bug %] #[% bug_id FILTER html %]. [% ELSIF error == "bug_access_query" %] [% title = "Access Denied" %] - You are not authorized to access [% terms.bug %] #[% bug_id %]. To see - this [% terms.bug %], you must - first <a href="show_bug.cgi?id=[% bug_id %]&GoAheadAndLogIn=1">log + You are not authorized to access [% terms.bug %] #[% bug_id FILTER html %]. + To see this [% terms.bug %], you must + first <a href="show_bug.cgi?id= + [% bug_id FILTER url_quote %]&GoAheadAndLogIn=1">log in to an account</a> with the appropriate permissions. [% ELSIF error == "buglist_parameters_required" %] @@ -139,7 +143,7 @@ [% title = "Dependency Loop Detected" %] The following [% terms.bug %](s) would appear on both the "depends on" and "blocks" parts of the dependency tree if these changes - are committed: [% both %]. This would create a circular + are committed: [% both FILTER none %]. This would create a circular dependency, which is not allowed. [% ELSIF error == "dependency_loop_single" %] @@ -176,7 +180,8 @@ [% ELSIF error == "file_too_large" %] [% title = "File Too Large" %] - The file you are trying to attach is [% filesize %] kilobytes (KB) in size. + The file you are trying to attach is [% filesize FILTER html %] + kilobytes (KB) in size. Non-patch attachments cannot be more than [% Param('maxattachmentsize') %] KB. If your attachment is an image, try converting it to a compressable @@ -187,8 +192,10 @@ [% title = "Flag Requestee Not Authorized" %] You asked [% requestee.identity FILTER html %] - for <code>[% flag_type.name FILTER html %]</code> on [% terms.bug %] [% bug_id -%] - [% IF attach_id %], attachment [% attach_id %][% END %], but that [% terms.bug %]&bnsp; + for <code>[% flag_type.name FILTER html %]</code> on [% terms.bug %] + [% bug_id FILTER html -%] + [% IF attach_id %], attachment [% attach_id FILTER html %][% END %], + but that [% terms.bug %]&bnsp; has been restricted to users in certain groups, and the user you asked isn't in all the groups to which the [% terms.bug %] has been restricted. Please choose someone else to ask, or make the [% terms.bug %] accessible to users @@ -198,8 +205,10 @@ [% title = "Flag Requestee Not Authorized" %] You asked [% requestee.identity FILTER html %] - for <code>[% flag_type.name FILTER html %]</code> on [% terms.bug %] [% bug_id %], - attachment [% attach_id %], but that attachment is restricted to users + for <code>[% flag_type.name FILTER html %]</code> on + [% terms.bug %] [% bug_id FILTER html %], + attachment [% attach_id FILTER html %], but that attachment is restricted + to users in the [% Param("insidergroup") FILTER html %] group, and the user you asked isn't in that group. Please choose someone else to ask, or ask an administrator to add the user to the group. @@ -233,11 +242,12 @@ [% ELSIF error == "illegal_attachment_edit" %] [% title = "Unauthorised Action" %] - You are not authorised to edit attachment [% attach_id %]. + You are not authorised to edit attachment [% attach_id FILTER html %]. [% ELSIF error == "illegal_attachment_edit_bug" %] [% title = "Unauthorised Action" %] - You are not authorised to edit attachments on [% terms.bug %] [%+ bug_id %]. + You are not authorised to edit attachments on [% terms.bug %] + [%+ bug_id FILTER html %]. [% ELSIF error == "illegal_attachment_is_patch" %] [% title = "Your Query Makes No Sense" %] @@ -246,7 +256,8 @@ [% ELSIF error == "illegal_change" %] [% title = "Not allowed" %] - You tried to change the <strong>[% field %]</strong> field + You tried to change the + <strong>[% field_descs.$field FILTER html %]</strong> field from <em>[% oldvalue FILTER html %]</em> to <em>[% newvalue FILTER html %]</em>, but only the owner or submitter of the [% terms.bug %], or a @@ -320,7 +331,7 @@ [% ELSIF error == "invalid_bug_id_non_existent" %] [% title = BLOCK %]Invalid [% terms.Bug %] ID[% END %] - [% terms.Bug %] #[% bug_id %] does not exist. + [% terms.Bug %] #[% bug_id FILTER html %] does not exist. [% ELSIF error == "invalid_bug_id_or_alias" %] [% title = BLOCK %]Invalid [% terms.Bug %] ID[% END %] @@ -383,7 +394,8 @@ [% ELSIF error == "milestone_required" %] [% title = "Milestone Required" %] - You must determine a target milestone for [% terms.bug %] [%+ bug_id %] + You must determine a target milestone for [% terms.bug %] + [%+ bug_id FILTER html %] if you are going to accept it. Part of accepting [% terms.abug %] is giving an estimate of when it will be fixed. @@ -459,7 +471,8 @@ [% ELSIF error == "need_positive_number" %] [% title = "Positive Number Required" %] - The <em>[% field_descs.$field %]</em> field requires a positive number. + The <em>[% field_descs.$field FILTER html %]</em> field requires a positive + number. [% ELSIF error == "need_product" %] [% title = "Product Required" %] @@ -499,7 +512,8 @@ [% ELSIF error == "no_dupe_stats" %] [% title = "Cannot Find Duplicate Statistics" %] - There are no duplicate statistics for today ([% today %]) or yesterday. + There are no duplicate statistics for today ([% today FILTER html %]) + or yesterday. [% ELSIF error == "no_dupe_stats_error_today" %] [% title = "Error Reading Today's Dupes File" %] @@ -513,7 +527,8 @@ [% ELSIF error == "no_dupe_stats_error_yesterday" %] [% title = "Error Reading Yesterday's Dupes File" %] - There are no duplicate statistics for today ([% today %]), and an error + There are no duplicate statistics for today ([% today FILTER html %]), + and an error occurred opening yesterday's dupes file: [% error_msg FILTER html %]. [% ELSIF error == "no_html_in_quips" %] @@ -558,7 +573,8 @@ [% ELSIF error == "patch_too_large" %] [% title = "File Too Large" %] - The file you are trying to attach is [% filesize %] kilobytes (KB) in size. + The file you are trying to attach is [% filesize FILTER html %] + kilobytes (KB) in size. Patches cannot be more than [% Param('maxpatchsize') %] KB in size. Try breaking your patch into several pieces. @@ -568,7 +584,8 @@ [% ELSIF error == "product_edit_denied" %] [% title = "Product Edit Access Denied" %] - You are not permitted to edit [% terms.bugs %] in product [% product %]. + You are not permitted to edit [% terms.bugs %] in product + [% product FILTER html %]. [% ELSIF error == "query_name_missing" %] [% title = "No Query Name Specified" %] @@ -620,15 +637,17 @@ [% ELSIF error == "too_many_votes_for_bug" %] [% title = "Illegal Vote" %] - You may only use at most [% max %] votes for a single [% terms.bug %] in the + You may only use at most [% max FILTER html %] votes for a single + [%+ terms.bug %] in the <tt>[% prod FILTER html %]</tt> product, but you are trying to use - [% votes %]. + [% votes FILTER html %]. [% ELSIF error == "too_many_votes_for_product" %] [% title = "Illegal Vote" %] - You may only use at most [% max %] votes for [% terms.bugs %] in the + You may only use at most [% max FILTER html %] votes for [% terms.bugs %] + in the <tt>[% prod FILTER html %]</tt> product, but you are trying to use - [% votes %]. + [% votes FILTER html %]. [% ELSIF error == "token_inexistent" %] [% title = "Token Does Not Exist" %] @@ -662,7 +681,8 @@ [% ELSIF error == "value_out_of_range" %] [% title = "Value Out Of Range" %] - Value is out of range for field <em>[% field_descs.$field %]</em>. + Value is out of range for field + <em>[% field_descs.$field FILTER html %]</em>. [% ELSIF error == "zero_length_file" %] [% title = "File Is Empty" %] @@ -684,7 +704,7 @@ <tr> <td bgcolor="#ff0000"> <font size="+2"> - [% error_message %] + [% error_message FILTER none %] </font> </td> </tr> diff --git a/template/en/default/list/change-columns.html.tmpl b/template/en/default/list/change-columns.html.tmpl index 61ff34dd7..d49a152c8 100644 --- a/template/en/default/list/change-columns.html.tmpl +++ b/template/en/default/list/change-columns.html.tmpl @@ -42,7 +42,9 @@ [% FOREACH column = masterlist %] <input type="checkbox" id="[% column %]" name="column_[% column %]" [% "checked='checked'" IF lsearch(collist, column) != -1 %]> - <label for="[% column %]">[% field_descs.${column} || column %]</label> + <label for="[% column %]"> + [% (field_descs.${column} || column) FILTER html %] + </label> <br> [% END %] diff --git a/template/en/default/list/list.html.tmpl b/template/en/default/list/list.html.tmpl index f02d92904..a61bdef98 100644 --- a/template/en/default/list/list.html.tmpl +++ b/template/en/default/list/list.html.tmpl @@ -149,7 +149,9 @@ [% END %] [% IF bugowners %] - <a href="mailto:[% bugowners %]">Send Mail to [% terms.Bug %] Owners</a> + <a href="mailto:[% bugowners FILTER html %]">Send + Mail to [% terms.Bug %] Owners</a> + [% END %] <a href="query.cgi? diff --git a/template/en/default/reports/components.html.tmpl b/template/en/default/reports/components.html.tmpl index b6d5010d0..d1af07392 100644 --- a/template/en/default/reports/components.html.tmpl +++ b/template/en/default/reports/components.html.tmpl @@ -79,13 +79,15 @@ <a name="[% comp.name FILTER html %]">[% comp.name FILTER html %]</a> </td> <td> - <a href="mailto:[% comp.initialowner %][% Param('emailsuffix') %]"> + <a href="mailto:[% comp.initialowner FILTER html %] + [% Param('emailsuffix') %]"> [% comp.initialowner FILTER html %]</a> </td> [% IF Param("useqacontact") %] <td> - <a href="mailto:[% comp.initialqacontact %][% Param('emailsuffix') %]"> - [% comp.initialqacontact %]</a> + <a href="mailto:[% comp.initialqacontact FILTER html %] + [% Param('emailsuffix') %]"> + [% comp.initialqacontact FILTER html %]</a> </td> [% END %] </tr> diff --git a/template/en/default/reports/duplicates-simple.html.tmpl b/template/en/default/reports/duplicates-simple.html.tmpl index a74926f8e..22055779a 100644 --- a/template/en/default/reports/duplicates-simple.html.tmpl +++ b/template/en/default/reports/duplicates-simple.html.tmpl @@ -34,7 +34,7 @@ [% END%] <head> - <title>[% title %]</title> + <title>[% title FILTER html %]</title> </head> <body> diff --git a/template/en/default/reports/duplicates-table.html.tmpl b/template/en/default/reports/duplicates-table.html.tmpl index 0ebd2b4de..34e070f10 100644 --- a/template/en/default/reports/duplicates-table.html.tmpl +++ b/template/en/default/reports/duplicates-table.html.tmpl @@ -70,17 +70,18 @@ [% bug_ids_string = bug_ids.join(',') %] <a href="duplicates.cgi?sortby=[% column.name %] [% IF sortby == column.name %] - [% "&reverse=1" IF NOT reverse %] + [% "&reverse=1" IF NOT reverse %] [% ELSE %] [%-# Some columns start off reversed %] - [% "&reverse=1" IF column.name.match('delta|count') %] + [% "&reverse=1" IF column.name.match('delta|count') %] [% END %] - [% "&maxrows=$maxrows" IF maxrows %] - [% "&changedsince=$changedsince" IF changedsince %] - [% "&openonly=1" IF openonly %] - [% "&product=$product" IF product %] - [% "&format=$format" IF format %] - [% "&bug_id=$bug_ids_string&sortvisible=1" IF sortvisible %]"> + [% "&maxrows=$maxrows" IF maxrows %] + [% "&changedsince=$changedsince" IF changedsince %] + [% "&openonly=1" IF openonly %] + [% IF product %]&product=[% product FILTER html %][% END %] + [% IF format %]&format=[% format FILTER html %][% END %] + [% "&bug_id=$bug_ids_string&sortvisible=1" + IF sortvisible %]"> [% column.description %]</a> </b> </center> @@ -135,10 +136,10 @@ <td><center>[% bug.delta %]</center></td> [% END %] - <td>[% bug.component %]</td> - <td><center>[% bug.bug_severity %]</center></td> - <td><center>[% bug.op_sys %]</center></td> - <td><center>[% bug.target_milestone %]</center></td> + <td>[% bug.component FILTER html %]</td> + <td><center>[% bug.bug_severity FILTER html %]</center></td> + <td><center>[% bug.op_sys FILTER html %]</center></td> + <td><center>[% bug.target_milestone FILTER html %]</center></td> <td>[% bug.short_desc FILTER html %]</td> </tr> [% END %] diff --git a/template/en/default/reports/report-table.csv.tmpl b/template/en/default/reports/report-table.csv.tmpl index 989790e47..216419fea 100644 --- a/template/en/default/reports/report-table.csv.tmpl +++ b/template/en/default/reports/report-table.csv.tmpl @@ -29,13 +29,18 @@ [% row_field_disp = field_descs.$row_field || row_field %] [% title = BLOCK %] - [% "$tbl_field_disp: $tbl\n" IF tbl_field %] - [% row_field_disp IF row_field %] + [% IF tbl_field %] + [% tbl_field_disp FILTER csv %]: [% tbl FILTER csv %] + + [% END %] + [% IF row_field %] + [% row_field_disp FILTER csv %] + [% END %] [% " / " IF col_field AND row_field %] - [% col_field_disp %] + [% col_field_disp FILTER csv %] [% END %] -[% title FILTER csv %], +[% title %], [% IF col_field -%] [% FOREACH col = col_names -%] [% col FILTER csv -%], diff --git a/template/en/default/reports/report-table.html.tmpl b/template/en/default/reports/report-table.html.tmpl index f28c39590..e4b52b488 100644 --- a/template/en/default/reports/report-table.html.tmpl +++ b/template/en/default/reports/report-table.html.tmpl @@ -50,7 +50,7 @@ <td> </td> <td align="center"> - <h2>[% tbl_disp %]</h2> + <h2>[% tbl_disp FILTER html %]</h2> </td> </tr> [% END %] diff --git a/template/en/default/reports/report.html.tmpl b/template/en/default/reports/report.html.tmpl index 31308c10c..19d8c722f 100644 --- a/template/en/default/reports/report.html.tmpl +++ b/template/en/default/reports/report.html.tmpl @@ -54,11 +54,15 @@ [% title = BLOCK %] Report: - [% tbl_field_disp IF tbl_field %] + [% IF tbl_field %] + [% tbl_field_disp FILTER html %] + [% END %] [% " / " IF tbl_field AND (col_field OR row_field) %] - [% row_field_disp IF row_field %] + [% IF row_field %] + [% row_field_disp FILTER html %] + [% END %] [% " / " IF col_field AND row_field %] - [% col_field_disp %] + [% col_field_disp FILTER html %] [% END %] [% PROCESS global/header.html.tmpl @@ -128,7 +132,7 @@ [% UNLESS other_format.name == format %] <a href="[% formaturl %]&format=[% other_format.name %]"> [% END %] - [% other_format.description %] + [% other_format.description FILTER html %] [% "</a>" UNLESS other_format.name == format %] | [% END %] <a href="[% formaturl %]&ctype=csv&format=table">CSV</a> @@ -139,7 +143,9 @@ </td> - [% sizeurl = "report.cgi?$switchbase&action=wrap&format=$format" %] + [% sizeurl = BLOCK %]report.cgi? + [% switchbase %]&action=wrap&format= + [% format FILTER html %][% END %] <td align="center"> <a href="[% sizeurl %]&width=[% width %]&height= [% height + 100 %]">Taller</a><br> diff --git a/template/en/default/search/form.html.tmpl b/template/en/default/search/form.html.tmpl index 6862ac6f6..db20c6aa5 100644 --- a/template/en/default/search/form.html.tmpl +++ b/template/en/default/search/form.html.tmpl @@ -352,7 +352,7 @@ function selectProduct(f) { value="[% default.short_desc.0 FILTER html %]"> </td> <td> - <input type="submit" value="[% button_name %]"> + <input type="submit" value="[% button_name FILTER html %]"> </td> </tr> diff --git a/template/en/default/search/knob.html.tmpl b/template/en/default/search/knob.html.tmpl index 27f37fbd7..8386eff04 100644 --- a/template/en/default/search/knob.html.tmpl +++ b/template/en/default/search/knob.html.tmpl @@ -148,7 +148,7 @@ [% END %] </select> - <input type="submit" value="[% button_name %]"> + <input type="submit" value="[% button_name FILTER html %]"> [% IF userdefaultquery %] <p> diff --git a/template/en/default/search/search-report-graph.html.tmpl b/template/en/default/search/search-report-graph.html.tmpl index 51911fb29..7793f3012 100644 --- a/template/en/default/search/search-report-graph.html.tmpl +++ b/template/en/default/search/search-report-graph.html.tmpl @@ -107,7 +107,7 @@ [% PROCESS search/form.html.tmpl %] <br> -<input type="submit" value="[% button_name %]"> +<input type="submit" value="[% button_name FILTER html %]"> <input type="hidden" name="action" value="wrap"> <hr> diff --git a/template/en/default/search/search-report-table.html.tmpl b/template/en/default/search/search-report-table.html.tmpl index 43010f16c..b850f93c8 100644 --- a/template/en/default/search/search-report-table.html.tmpl +++ b/template/en/default/search/search-report-table.html.tmpl @@ -82,7 +82,7 @@ [% PROCESS search/form.html.tmpl %] <br> -<input type="submit" value="[% button_name %]"> +<input type="submit" value="[% button_name FILTER html %]"> <input type="hidden" name="format" value="table"> <input type="hidden" name="action" value="wrap"> <hr> |