From 91341bcfc6d9e2f06b3abf3f73e05c2c60fbd30e Mon Sep 17 00:00:00 2001
From: "bbaetz%student.usyd.edu.au" <>
Date: Sun, 7 Apr 2002 11:13:31 +0000
Subject: Bug 133423 - Audit templates for FILTER usage r=gerv, justdave

---
 template/default/admin/account_created.tmpl      | 2 +-
 template/default/admin/account_exists.tmpl       | 4 ++--
 template/default/admin/change-password.html.tmpl | 2 +-
 template/default/admin/create_account.tmpl       | 2 +-
 template/default/attachment/created.atml         | 2 +-
 template/default/attachment/edit.atml            | 6 +++---
 template/default/attachment/list.atml            | 4 ++--
 template/default/attachment/viewall.atml         | 5 +++--
 template/default/attachstatus/create.atml        | 2 +-
 template/default/attachstatus/delete.atml        | 3 +++
 template/default/attachstatus/edit.atml          | 6 +++---
 template/default/attachstatus/list.atml          | 2 +-
 template/default/buglist/buglist.html.tmpl       | 2 +-
 template/default/buglist/change-form.tmpl        | 6 +++---
 template/default/global/header                   | 2 +-
 template/default/index.tmpl                      | 2 +-
 template/default/info/describe-components.tmpl   | 7 ++++---
 template/default/info/quips.tmpl                 | 2 +-
 template/default/prefs/account.tmpl              | 2 +-
 template/default/prefs/userprefs.tmpl            | 5 +++--
 template/default/show/comments.tmpl              | 2 +-
 template/default/show/multiple.tmpl              | 8 ++++----
 template/default/show/show_bug.html.tmpl         | 3 ++-
 template/default/token/confirmemail.html.tmpl    | 2 +-
 template/default/token/emailchangenew.txt.tmpl   | 4 ++--
 template/default/token/emailchangeold.txt.tmpl   | 2 +-
 26 files changed, 48 insertions(+), 41 deletions(-)

diff --git a/template/default/admin/account_created.tmpl b/template/default/admin/account_created.tmpl
index ad4310ec4..46bc82ad2 100644
--- a/template/default/admin/account_created.tmpl
+++ b/template/default/admin/account_created.tmpl
@@ -25,7 +25,7 @@
 
 <p>
   A new account,  
-  <tt>[% login %]</tt>,
+  <tt>[% login FILTER html %]</tt>,
   has been created and a randomly-generated password has been e-mailed 
   to that address.
 </p>
diff --git a/template/default/admin/account_exists.tmpl b/template/default/admin/account_exists.tmpl
index 23b9e0338..a4357a5a0 100644
--- a/template/default/admin/account_exists.tmpl
+++ b/template/default/admin/account_exists.tmpl
@@ -25,8 +25,8 @@
 
 <form method="get" action="token.cgi">
   <input type="hidden" name="a" value="reqpw" />
-  <input type="hidden" name="loginname" value="[% login %]" />
-  A Bugzilla account for <tt>[% login %]</tt> already exists. If you
+  <input type="hidden" name="loginname" value="[% login FILTER html %]" />
+  A Bugzilla account for <tt>[% login FILTER html %]</tt> already exists. If you
   are the account holder and have forgotten your password, 
   <input type="submit" value="submit a request to change it" />.
 </form>
diff --git a/template/default/admin/change-password.html.tmpl b/template/default/admin/change-password.html.tmpl
index 29d03c030..a8ad930ee 100644
--- a/template/default/admin/change-password.html.tmpl
+++ b/template/default/admin/change-password.html.tmpl
@@ -26,7 +26,7 @@
 </p>
 
 <form method="post" action="token.cgi">
-  <input type="hidden" name="t" value="[% token %]" />
+  <input type="hidden" name="t" value="[% token FILTER html %]" />
   <input type="hidden" name="a" value="chgpw" />
   <table>
     <tr>
diff --git a/template/default/admin/create_account.tmpl b/template/default/admin/create_account.tmpl
index 61ad95b8a..ab35ce53d 100644
--- a/template/default/admin/create_account.tmpl
+++ b/template/default/admin/create_account.tmpl
@@ -38,7 +38,7 @@
       </td>
       <td>
         <input size="35" name="login" />
-        [% Param('emailsuffix') %]
+        [% Param('emailsuffix') FILTER html %]
       </td>
     </tr>
     
diff --git a/template/default/attachment/created.atml b/template/default/attachment/created.atml
index ab5e5ef9c..c46afe06b 100644
--- a/template/default/attachment/created.atml
+++ b/template/default/attachment/created.atml
@@ -28,7 +28,7 @@
   <tr>
     <td>
       <h2>
-        <a title="[% description %]" href="attachment.cgi?id=[% attachid %]&action=edit">Attachment #[% attachid %]</a> 
+        <a title="[% description FILTER html %]" href="attachment.cgi?id=[% attachid %]&action=edit">Attachment #[% attachid %]</a> 
         to <a href="show_bug.cgi?id=[% bugid %]">Bug #[% bugid %]</a> Created
       </h2>
 
diff --git a/template/default/attachment/edit.atml b/template/default/attachment/edit.atml
index 599aff00a..1d06bfb6f 100755
--- a/template/default/attachment/edit.atml
+++ b/template/default/attachment/edit.atml
@@ -153,10 +153,10 @@
       <td width="25%">
         <small>
         <b>Description:</b><br>
-          <textarea rows="3" cols="25" name="description" wrap="soft">[% description %]</textarea><br>
+          <textarea rows="3" cols="25" name="description" wrap="soft">[% description FILTER html %]</textarea><br>
 
         <b>MIME Type:</b><br>
-          <input type="text" size="20" name="contenttypeentry" value="[% contenttype %]"><br>
+          <input type="text" size="20" name="contenttypeentry" value="[% contenttype FILTER html %]"><br>
 
         <b>Flags:</b><br>
           <input type="checkbox" name="ispatch" value="1"[% " checked" IF ispatch %]>patch
@@ -165,7 +165,7 @@
         [% IF statusdefs.size %]
           <b>Status:</b><br>
             [% FOREACH def = statusdefs %]
-                <input type="checkbox" name="status" value="[% def.id %]"[% " checked" IF statuses.${def.id} %]>[% def.name %]<br>
+                <input type="checkbox" name="status" value="[% def.id %]"[% " checked" IF statuses.${def.id} %]>[% def.name FILTER html %]<br>
             [% END %]
         [% END %]
 
diff --git a/template/default/attachment/list.atml b/template/default/attachment/list.atml
index 72006cf29..12eeb03e7 100755
--- a/template/default/attachment/list.atml
+++ b/template/default/attachment/list.atml
@@ -43,7 +43,7 @@
         [% IF attachment.ispatch %]
           <i>patch</i>
         [% ELSE %]
-          [% attachment.contenttype %]
+          [% attachment.contenttype FILTER html %]
         [% END %]
       </td>
 
@@ -55,7 +55,7 @@
           <i>none</i>
         [% ELSE %]
           [% FOREACH s = attachment.statuses %]
-            [% s %]<br>
+            [% s FILTER html %]<br>
           [% END %]
         [% END %]
         </nobr>
diff --git a/template/default/attachment/viewall.atml b/template/default/attachment/viewall.atml
index 0500a09d4..c3cca2ff3 100755
--- a/template/default/attachment/viewall.atml
+++ b/template/default/attachment/viewall.atml
@@ -19,10 +19,11 @@
   # Contributor(s): Myk Melez <myk@mozilla.org>
   #%]
 
+[% filtered_summary = bugsummary FILTER html %]
 [% INCLUDE global/header 
   title = "View All Attachments for Bug #$bugid"
   h1 = "View All Attachments for <a href=\"show_bug.cgi?id=$bugid\">Bug #$bugid</a>"
-  h2 = bugsummary
+  h2 = filtered_summary
   style = "
     th { text-align: right; vertical-align: top; }
     td { text-align: left; vertical-align: top; }
@@ -67,7 +68,7 @@
           <i>none</i>
         [% ELSE %]
           [% FOREACH s = a.statuses %]
-            [% s %]<br>
+            [% s FILTER html %]<br>
           [% END %]
         [% END %]
         </nobr>
diff --git a/template/default/attachstatus/create.atml b/template/default/attachstatus/create.atml
index 128d811dc..7354b3852 100755
--- a/template/default/attachstatus/create.atml
+++ b/template/default/attachstatus/create.atml
@@ -58,7 +58,7 @@
       <td>
         <select name="product">
           [% FOREACH item = products %]
-            <option value="[% item %]">[% item %]</option>
+            <option value="[% item FILTER html %]">[% item FILTER html %]</option>
           [% END %]
         </select>
       </td>
diff --git a/template/default/attachstatus/delete.atml b/template/default/attachstatus/delete.atml
index 19648c6d0..dc50052b9 100644
--- a/template/default/attachstatus/delete.atml
+++ b/template/default/attachstatus/delete.atml
@@ -20,6 +20,9 @@
   #                 Jeff Hedlund <jeff.hedlund@matrixsi.com>
   #%]
 
+[%# Filter off the name here to be used multiple times below %]
+[% name = name FILTER html %]
+
 [% INCLUDE global/header 
   title = "Confirm Delete of Attachment Status '$name'" 
 %]
diff --git a/template/default/attachstatus/edit.atml b/template/default/attachstatus/edit.atml
index 366f8eb70..1186d7637 100755
--- a/template/default/attachstatus/edit.atml
+++ b/template/default/attachstatus/edit.atml
@@ -35,14 +35,14 @@
     <tr>
       <th>Name:</th>
       <td>
-        <input type="text" name="name" value="[% name %]" size="50" maxlength="50">
+        <input type="text" name="name" value="[% name FILTER html %]" size="50" maxlength="50">
       </td>
     </tr>
 
     <tr>
       <th>Description:</th>
       <td>
-        <textarea name="desc" rows="4" cols="50">[% desc %]</textarea>
+        <textarea name="desc" rows="4" cols="50">[% desc FILTER html %]</textarea>
       </td>
     </tr>
 
@@ -56,7 +56,7 @@
     <tr>
       <th>Product:</th>
       <td>
-        [% product %]
+        [% product FILTER html %]
       </td>
     </tr>
 
diff --git a/template/default/attachstatus/list.atml b/template/default/attachstatus/list.atml
index f2d0a4f51..551ab182a 100755
--- a/template/default/attachstatus/list.atml
+++ b/template/default/attachstatus/list.atml
@@ -43,7 +43,7 @@
       <td>[% statusdef.name FILTER html %]</td>
       <td>[% statusdef.description FILTER html %]</td>
       <td>[% statusdef.sortkey %]</td>
-      <td>[% statusdef.product %]</td>
+      <td>[% statusdef.product FILTER html %]</td>
       <td>
         <a href="editattachstatuses.cgi?action=edit&id=[% statusdef.id %]">
             Edit</a>
diff --git a/template/default/buglist/buglist.html.tmpl b/template/default/buglist/buglist.html.tmpl
index e4afa8e4d..37a202fe5 100644
--- a/template/default/buglist/buglist.html.tmpl
+++ b/template/default/buglist/buglist.html.tmpl
@@ -43,7 +43,7 @@
   [% END %]
 
   [% IF quip %]
-    <a href="quips.cgi"><i>[% quip %]</i></a>
+    <a href="quips.cgi"><i>[% quip FILTER html %]</i></a>
   [% END %]
 
 </div>
diff --git a/template/default/buglist/change-form.tmpl b/template/default/buglist/change-form.tmpl
index 8bec88c3e..60c1a2de7 100644
--- a/template/default/buglist/change-form.tmpl
+++ b/template/default/buglist/change-form.tmpl
@@ -246,8 +246,8 @@
   <select name="resolution" onchange="document.forms.changeform.knob[[% knum %]].checked=true">
     [% FOREACH resolution = resolutions %]
       [% NEXT IF !resolution %]
-      <option value="[% resolution %]" [% selected IF resolution == "FIXED" %]>
-        [% resolution %]
+      <option value="[% resolution FILTER html %]" [% selected IF resolution == "FIXED" %]>
+        [% resolution FILTER html %]
       </option>
     [% END %]
   </select><br />
@@ -279,7 +279,7 @@
   Reassign</A> bugs to
 </label>
 <input name="assigned_to" 
-       value="[% user %]"
+       value="[% user FILTER html %]"
        onchange="document.forms.changeform.knob[[% knum %]].checked = true;"
        size="32"><br />
 
diff --git a/template/default/global/header b/template/default/global/header
index 5e6a183dd..dfb3cc080 100755
--- a/template/default/global/header
+++ b/template/default/global/header
@@ -11,7 +11,7 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
   <head>
-    <title>[% title %]</title>
+    <title>[% title FILTER html %]</title>
     
     [% Param('headerhtml') %]
     
diff --git a/template/default/index.tmpl b/template/default/index.tmpl
index 2f3603c68..7b00539e8 100644
--- a/template/default/index.tmpl
+++ b/template/default/index.tmpl
@@ -56,7 +56,7 @@ function addSidebar() {
 [% IF username %]
   <a href="[% PerformSubsts(Param('mybugstemplate'), subst) %]">My Bugs</a><br>
   <a href="userprefs.cgi">Change password or user preferences</a><br>
-  <a href="relogin.cgi">Logout [% username %]</a><br>
+  <a href="relogin.cgi">Logout [% username FILTER html %]</a><br>
 [% ELSE %]
   <a href="query.cgi?GoAheadAndLogIn=1">Log in to an existing account</a><br>
   <a href="createaccount.cgi">Open a new Bugzilla account</a><br>
diff --git a/template/default/info/describe-components.tmpl b/template/default/info/describe-components.tmpl
index 5ee8bf4a0..c9dacca10 100644
--- a/template/default/info/describe-components.tmpl
+++ b/template/default/info/describe-components.tmpl
@@ -19,9 +19,10 @@
   # Contributor(s): Bradley Baetz <bbaetz@student.usyd.edu.au>
   #%]
 
+[% filtered_product = product FILTER html %]
 [% INCLUDE global/header 
-  title = "Components for $product" 
-  h2 = product %]
+  title = "Components for $product"
+  h2 = filtered_product %]
 
 [% IF Param("useqacontact") %]
   [% numcols = 3 %]
@@ -70,7 +71,7 @@
     </td>
     <td>
       <a href="mailto:[% comp.initialowner %][% Param('emailsuffix') %]">
-      [% comp.initialowner %]</a>
+      [% comp.initialowner FILTER html %]</a>
     </td>
     [% IF Param("useqacontact") %]
       <td>
diff --git a/template/default/info/quips.tmpl b/template/default/info/quips.tmpl
index 37e9d863f..d05557650 100644
--- a/template/default/info/quips.tmpl
+++ b/template/default/info/quips.tmpl
@@ -27,7 +27,7 @@
 [% IF added_quip %]
   <p>
     <font color="red">
-      Your quip '<tt>[% added_quip %]</tt>' has been added.
+      Your quip '<tt>[% added_quip FILTER html %]</tt>' has been added.
     </font>
   </p>
 [% END %]
diff --git a/template/default/prefs/account.tmpl b/template/default/prefs/account.tmpl
index e436d07a5..2033e86fc 100644
--- a/template/default/prefs/account.tmpl
+++ b/template/default/prefs/account.tmpl
@@ -69,7 +69,7 @@
       [% IF new_login_name %]
         <tr>
           <th align="right">Pending email address:</th>
-          <td>[% new_login_name %]</td>
+          <td>[% new_login_name FILTER html %]</td>
         </tr>
         <tr>
           <th align="right">Change request expires:</th>
diff --git a/template/default/prefs/userprefs.tmpl b/template/default/prefs/userprefs.tmpl
index 8992794b1..5d9fc6eb3 100644
--- a/template/default/prefs/userprefs.tmpl
+++ b/template/default/prefs/userprefs.tmpl
@@ -34,10 +34,11 @@
   #                displaying anything, and can contain an optional custom
   #                message if required (which Perl still evaluates as True).
   #%]
- 
+
+[% filtered_login = login FILTER html %]
 [% INCLUDE global/header
    title = "User Preferences"
-   h2 = login
+   h2 = filtered_login
    style = "td.selected_tab {
               border-width: 2px 2px 0px;
               border-style: solid; 
diff --git a/template/default/show/comments.tmpl b/template/default/show/comments.tmpl
index 14828175d..b020caa0f 100644
--- a/template/default/show/comments.tmpl
+++ b/template/default/show/comments.tmpl
@@ -39,7 +39,7 @@
     <br>
     <i>------- Additional Comment
       <a name="c[% count %]" href="#c[% count %]">#[% count %]</a> From 
-      <a href="mailto:[% comment.email %]">[% comment.name %]</a>
+      <a href="mailto:[% comment.email FILTER html %]">[% comment.name FILTER html %]</a>
       [%+ comment.time %] -------
     </i>
   [% END %]
diff --git a/template/default/show/multiple.tmpl b/template/default/show/multiple.tmpl
index 2673c5457..8313323aa 100644
--- a/template/default/show/multiple.tmpl
+++ b/template/default/show/multiple.tmpl
@@ -96,7 +96,7 @@
       <td colspan="2">
       [% IF Param('usetargetmilestone') %]
           <b>Target Milestone:</b>&nbsp;
-          [% bug.target_milestone %]
+          [% bug.target_milestone FILTER html %]
       [% END %]
       </td>
     </tr>
@@ -109,14 +109,14 @@
     
     <tr>
       <td colspan="4">
-        <b>Summary:</b>&nbsp;[% bug.short_desc %]
+        <b>Summary:</b>&nbsp;[% bug.short_desc FILTER html %]
       </td>
     </tr>
      
     [% IF use_keywords %]
       <tr>
         <td colspan="4">
-          <b>Keywords: </b>&nbsp;[% bug.keywords %]
+          <b>Keywords: </b>&nbsp;[% bug.keywords FILTER html %]
         </td>
       </tr>
     [% END %]
@@ -151,6 +151,6 @@
 [% BLOCK cell %]
   <td>
     <b>[% attr.description%]:</b>&nbsp;
-    [% bug.${attr.name} %]
+    [% bug.${attr.name} FILTER html %]
   </td>
 [% END %]
diff --git a/template/default/show/show_bug.html.tmpl b/template/default/show/show_bug.html.tmpl
index c6f7deb2b..9b77c23a2 100644
--- a/template/default/show/show_bug.html.tmpl
+++ b/template/default/show/show_bug.html.tmpl
@@ -19,11 +19,12 @@
   # Contributor(s): Gervase Markham <gerv@gerv.net>
   #%]
 
+[% filtered_desc = bug.short_desc FILTER html %]
 [% UNLESS header_done %]
   [% INCLUDE global/header 
     title = "Bug $bug.bug_id - $bug.short_desc"
     h1 = "Bugzilla Bug $bug.bug_id"
-    h2 = bug.short_desc
+    h2 = filtered_desc
     extra = navigation_links()
    %]
 [% END %]
diff --git a/template/default/token/confirmemail.html.tmpl b/template/default/token/confirmemail.html.tmpl
index e34a93e63..4d4102968 100644
--- a/template/default/token/confirmemail.html.tmpl
+++ b/template/default/token/confirmemail.html.tmpl
@@ -27,7 +27,7 @@
 </p>
 
 <form method="post" action="token.cgi">
-  <input type="hidden" name="t" value=[% token %]>
+  <input type="hidden" name="t" value=[% token FILTER html %]>
   <input type="hidden" name="a" value="chgem">
   <table>
     <tr>
diff --git a/template/default/token/emailchangenew.txt.tmpl b/template/default/token/emailchangenew.txt.tmpl
index 9a0a1e8d7..5a5ae2535 100644
--- a/template/default/token/emailchangenew.txt.tmpl
+++ b/template/default/token/emailchangenew.txt.tmpl
@@ -27,10 +27,10 @@ for the [% oldemailaddress %] account to your address.
 
 To confirm the change, visit the following link:
 
-[% Param('urlbase') %]token.cgi?a=cfmem&t=[% token %]
+[% Param('urlbase') %]token.cgi?a=cfmem&t=[% token FILTER html %]
 
 If you are not the person who made this request, or you wish to cancel
 this request, visit the following link:
 
-[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token %]
+[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token FILTER html %]
 
diff --git a/template/default/token/emailchangeold.txt.tmpl b/template/default/token/emailchangeold.txt.tmpl
index 661f8f1d4..82ecf1dfc 100644
--- a/template/default/token/emailchangeold.txt.tmpl
+++ b/template/default/token/emailchangeold.txt.tmpl
@@ -31,5 +31,5 @@ for your account to [% newemailaddress %].
 If you are not the person who made this request, or you wish to cancel
 this request, visit the following link:
 
-[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token %]
+[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token FILTER html %]
 
-- 
cgit v1.2.3-24-g4f1b