[FIX] Escape some query parameters

2013-10-25 13:05:57 +02:00 · 2013-10-25 13:05:57 +02:00 · fa4d666f1f
commit fa4d666f1f
parent 8d005cbe5d
5 changed files with 7 additions and 7 deletions
--- a/public/templates/mpos/account/notifications/default.tpl
+++ b/public/templates/mpos/account/notifications/default.tpl
@ -1,6 +1,6 @@
 <form action="{$smarty.server.PHP_SELF}" method="POST">
-  <input type="hidden" name="page" value="{$smarty.request.page}">
-  <input type="hidden" name="action" value="{$smarty.request.action}">
+  <input type="hidden" name="page" value="{$smarty.request.page|escape}">
+  <input type="hidden" name="action" value="{$smarty.request.action|escape}">
  <input type="hidden" name="do" value="save">
  <article class="module width_quarter">
    <header>
--- a/public/templates/mpos/admin/user/default.tpl
+++ b/public/templates/mpos/admin/user/default.tpl
@ -98,8 +98,8 @@
  <footer>
    <div class="submit_link">
    <form action="{$smarty.server.PHP_SELF}" method="POST" id='query'>
-      <input type="hidden" name="page" value="{$smarty.request.page}">
-      <input type="hidden" name="action" value="{$smarty.request.action}">
+      <input type="hidden" name="page" value="{$smarty.request.page|escape}">
+      <input type="hidden" name="action" value="{$smarty.request.action|escape}">
      <input type="text" class="pin" name="query" value="{$smarty.request.query|default:"%"}">
      <input type="submit" value="Query" class="alt_btn">
    </form>
--- a/public/templates/mpos/global/breadcrumbs.tpl
+++ b/public/templates/mpos/global/breadcrumbs.tpl
@ -1,3 +1,3 @@
    <div class="breadcrumbs_container">
-      <article class="breadcrumbs"><a href="{$smarty.server.PHP_SELF}">{$GLOBAL.website.name}</a> <div class="breadcrumb_divider"></div> <a class="{if ! $smarty.request.action|default:""}current{/if}" {if $smarty.request.action|default:""}href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|default:"home"}"{/if}>{$smarty.request.page|default:"Home"|capitalize}</a>{if $smarty.request.action|default:""} <div class="breadcrumb_divider"></div> <a class="current">{$smarty.request.action|capitalize}</a>{/if}</article>
+      <article class="breadcrumbs"><a href="{$smarty.server.PHP_SELF}">{$GLOBAL.website.name}</a> <div class="breadcrumb_divider"></div> <a class="{if ! $smarty.request.action|default:""}current{/if}" {if $smarty.request.action|default:""}href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|default:"home"}"{/if}>{$smarty.request.page|escape|default:"Home"|capitalize}</a>{if $smarty.request.action|default:""} <div class="breadcrumb_divider"></div> <a class="current">{$smarty.request.action|escape|capitalize}</a>{/if}</article>
    </div>
--- a/public/templates/mpos/global/header.tpl
+++ b/public/templates/mpos/global/header.tpl
@ -1,5 +1,5 @@
    <hgroup>
      <h1 class="site_title">{$GLOBAL.website.name}</h1>
-      <h2 class="section_title">{if $smarty.request.action|default:""}{$smarty.request.action|capitalize}{else}{$smarty.request.page|default:"home"|capitalize}{/if}</h2>
+      <h2 class="section_title">{if $smarty.request.action|escape|default:""}{$smarty.request.action|escape|capitalize}{else}{$smarty.request.page|escape|default:"home"|capitalize}{/if}</h2>
    </hgroup>
    {include file="login/small.tpl"}
--- a/public/templates/mpos/master.tpl
+++ b/public/templates/mpos/master.tpl
@ -2,7 +2,7 @@
 <html lang="en">
 <head>
 	<meta charset="utf-8"/>
-	<title>{$GLOBAL.website.title} I {$smarty.request.page|default:"home"|capitalize}</title>
+	<title>{$GLOBAL.website.title} I {$smarty.request.page|escape|default:"home"|capitalize}</title>
 	
 	<link rel="stylesheet" href="{$PATH}/css/layout.css" type="text/css" media="screen" />
  <link rel="stylesheet" href="{$PATH}/css/fontello.css">