From b1ef63e5bfc0d3995245b42154686db1400b2c22 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Sun, 15 Oct 2006 03:26:50 +0000
Subject: Bug 206037: [SECURITY] Fix escaping/quoting in edit*.cgi scripts -
 Patch by Frédéric Buclin <LpSolit@gmail.com> r=justdave a=justdave
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 template/en/default/admin/table.html.tmpl | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

(limited to 'template/en/default/admin/table.html.tmpl')

diff --git a/template/en/default/admin/table.html.tmpl b/template/en/default/admin/table.html.tmpl
index 29108fd6c..d13dceb66 100644
--- a/template/en/default/admin/table.html.tmpl
+++ b/template/en/default/admin/table.html.tmpl
@@ -32,7 +32,7 @@
   #                  with the key xxx in data hash of the current row.
   #     content: If specified, the content of this variable is used
   #              instead of the data pulled from the current row. 
-  #              NOTE: This value is not HTML filtered at output!
+  #              NOTE: This value is only partially HTML filtered!
   #     content_use_field: If defined and true, then each value in the 
   #                        column corresponds with a key in the
   #                        field_descs field, and that value from the 
@@ -41,8 +41,8 @@
   #                        This content WILL be HTML-filtered in this case.
   #     align: left/center/right. Controls the horizontal alignment of the
   #            text in the column.
-  #     allow_html_content: if defined, then this column allows html content
-  #                         so it will not be filtered 
+  #     allow_html_content: if defined, then this column allows some html content
+  #                         and so it will be only partially filtered.
   #     yesno_field: Turn the data from 0/!0 into Yes/No
   #
   # data:
@@ -94,6 +94,7 @@
          content = c.content
          content_use_field = c.content_use_field
          align = c.align
+         class = c.class
          allow_html_content = c.allow_html_content
          yesno_field = c.yesno_field
        %]
@@ -112,6 +113,8 @@
              IF override.override_content_use_field %]
           [% SET align = override.align
              IF override.override_align %]
+          [% SET class = override.class
+             IF override.override_class %]
           [% SET allow_html_content = override.allow_html_content
              IF override.override_allow_html_content %]
           [% SET yesno_field = override.yesno_field
@@ -122,7 +125,8 @@
         [% END %]
       [% END %]
 
-      <td [% IF align %] align="[% align FILTER html %]" [% END %]>
+      <td [% IF align %] align="[% align FILTER html %]" [% END %]
+          [% IF class %] class="[% class FILTER html %]" [% END %]>
 
         [% IF contentlink %]
           [% link_uri = contentlink %]
@@ -143,7 +147,7 @@
            [% colname = row.${c.name} %]
            [% field_descs.${colname} FILTER html %]
         [% ELSIF content %]
-            [% content FILTER none %]
+            [% content FILTER html_light %]
         [% ELSE %]
           [% IF yesno_field %]
             [% IF row.${c.name} %]
@@ -153,7 +157,7 @@
             [% END %]
           [% ELSE %]
             [% IF allow_html_content %]
-              [% row.${c.name} FILTER none %]
+              [% row.${c.name} FILTER html_light %]
             [% ELSE %]
               [% row.${c.name} FILTER html %]
             [% END %]
-- 
cgit v1.2.3-24-g4f1b