Bug 133423 - Audit templates for FILTER usage

r=gerv, justdave

Bug 133423 - Audit templates for FILTER usage
91341bcf · bbaetz%student.usyd.edu.au · ae8a18de · 91341bcf · 91341bcf · 91341bcf
Commit 91341bcf authored Apr 07, 2002 by bbaetz%student.usyd.edu.au
26 changed files
--- a/template/default/admin/account_created.tmpl
+++ b/template/default/admin/account_created.tmpl
@@ -25,7 +25,7 @@
 <p>
  A new account,  
-  <tt>[% login %]</tt>,
+  <tt>[% login FILTER html %]</tt>,
  has been created and a randomly-generated password has been e-mailed 
  to that address.
 </p>

--- a/template/default/admin/account_exists.tmpl
+++ b/template/default/admin/account_exists.tmpl
@@ -25,8 +25,8 @@
 <form method="get" action="token.cgi">
  <input type="hidden" name="a" value="reqpw" />
-  <input type="hidden" name="loginname" value="[% login %]" />
+  <input type="hidden" name="loginname" value="[% login FILTER html %]" />
-  A Bugzilla account for <tt>[% login %]</tt> already exists. If you
+  A Bugzilla account for <tt>[% login FILTER html %]</tt> already exists. If you
  are the account holder and have forgotten your password, 
  <input type="submit" value="submit a request to change it" />.
 </form>

--- a/template/default/admin/change-password.html.tmpl
+++ b/template/default/admin/change-password.html.tmpl
@@ -26,7 +26,7 @@
 </p>
 <form method="post" action="token.cgi">
-  <input type="hidden" name="t" value="[% token %]" />
+  <input type="hidden" name="t" value="[% token FILTER html %]" />
  <input type="hidden" name="a" value="chgpw" />
  <table>
    <tr>

--- a/template/default/admin/create_account.tmpl
+++ b/template/default/admin/create_account.tmpl
@@ -38,7 +38,7 @@
      </td>
      <td>
        <input size="35" name="login" />
-        [% Param('emailsuffix') %]
+        [% Param('emailsuffix') FILTER html %]
      </td>
    </tr>

--- a/template/default/attachment/created.atml
+++ b/template/default/attachment/created.atml
@@ -28,7 +28,7 @@
  <tr>
    <td>
      <h2>
-        <a title="[% description %]" href="attachment.cgi?id=[% attachid %]&action=edit">Attachment #[% attachid %]</a> 
+        <a title="[% description FILTER html %]" href="attachment.cgi?id=[% attachid %]&action=edit">Attachment #[% attachid %]</a> 
        to <a href="show_bug.cgi?id=[% bugid %]">Bug #[% bugid %]</a> Created
      </h2>

--- a/template/default/attachment/edit.atml
+++ b/template/default/attachment/edit.atml
@@ -153,10 +153,10 @@
      <td width="25%">
        <small>
        <b>Description:</b><br>
-          <textarea rows="3" cols="25" name="description" wrap="soft">[% description %]</textarea><br>
+          <textarea rows="3" cols="25" name="description" wrap="soft">[% description FILTER html %]</textarea><br>
        <b>MIME Type:</b><br>
-          <input type="text" size="20" name="contenttypeentry" value="[% contenttype %]"><br>
+          <input type="text" size="20" name="contenttypeentry" value="[% contenttype FILTER html %]"><br>
        <b>Flags:</b><br>
          <input type="checkbox" name="ispatch" value="1"[% " checked" IF ispatch %]>patch
@@ -165,7 +165,7 @@
        [% IF statusdefs.size %]
          <b>Status:</b><br>
            [% FOREACH def = statusdefs %]
-                <input type="checkbox" name="status" value="[% def.id %]"[% " checked" IF statuses.${def.id} %]>[% def.name %]<br>
+                <input type="checkbox" name="status" value="[% def.id %]"[% " checked" IF statuses.${def.id} %]>[% def.name FILTER html %]<br>
            [% END %]
        [% END %]

--- a/template/default/attachment/list.atml
+++ b/template/default/attachment/list.atml
@@ -43,7 +43,7 @@
        [% IF attachment.ispatch %]
          <i>patch</i>
        [% ELSE %]
-          [% attachment.contenttype %]
+          [% attachment.contenttype FILTER html %]
        [% END %]
      </td>
@@ -55,7 +55,7 @@
          <i>none</i>
        [% ELSE %]
          [% FOREACH s = attachment.statuses %]
-            [% s %]<br>
+            [% s FILTER html %]<br>
          [% END %]
        [% END %]
        </nobr>

--- a/template/default/attachment/viewall.atml
+++ b/template/default/attachment/viewall.atml
@@ -19,10 +19,11 @@
  # Contributor(s): Myk Melez <myk@mozilla.org>
  #%]
+[% filtered_summary = bugsummary FILTER html %]
 [% INCLUDE global/header 
  title = "View All Attachments for Bug #$bugid"
  h1 = "View All Attachments for <a href=\"show_bug.cgi?id=$bugid\">Bug #$bugid</a>"
-  h2 = bugsummary
+  h2 = filtered_summary
  style = "
    th { text-align: right; vertical-align: top; }
    td { text-align: left; vertical-align: top; }
@@ -67,7 +68,7 @@
          <i>none</i>
        [% ELSE %]
          [% FOREACH s = a.statuses %]
-            [% s %]<br>
+            [% s FILTER html %]<br>
          [% END %]
        [% END %]
        </nobr>

--- a/template/default/attachstatus/create.atml
+++ b/template/default/attachstatus/create.atml
@@ -58,7 +58,7 @@
      <td>
        <select name="product">
          [% FOREACH item = products %]
-            <option value="[% item %]">[% item %]</option>
+            <option value="[% item FILTER html %]">[% item FILTER html %]</option>
          [% END %]
        </select>
      </td>

--- a/template/default/attachstatus/delete.atml
+++ b/template/default/attachstatus/delete.atml
@@ -20,6 +20,9 @@
  #                 Jeff Hedlund <jeff.hedlund@matrixsi.com>
  #%]
+[%# Filter off the name here to be used multiple times below %]
+[% name = name FILTER html %]
 [% INCLUDE global/header 
  title = "Confirm Delete of Attachment Status '$name'" 
 %]

--- a/template/default/attachstatus/edit.atml
+++ b/template/default/attachstatus/edit.atml
@@ -35,14 +35,14 @@
    <tr>
      <th>Name:</th>
      <td>
-        <input type="text" name="name" value="[% name %]" size="50" maxlength="50">
+        <input type="text" name="name" value="[% name FILTER html %]" size="50" maxlength="50">
      </td>
    </tr>
    <tr>
      <th>Description:</th>
      <td>
-        <textarea name="desc" rows="4" cols="50">[% desc %]</textarea>
+        <textarea name="desc" rows="4" cols="50">[% desc FILTER html %]</textarea>
      </td>
    </tr>
@@ -56,7 +56,7 @@
    <tr>
      <th>Product:</th>
      <td>
-        [% product %]
+        [% product FILTER html %]
      </td>
    </tr>

--- a/template/default/attachstatus/list.atml
+++ b/template/default/attachstatus/list.atml
@@ -43,7 +43,7 @@
      <td>[% statusdef.name FILTER html %]</td>
      <td>[% statusdef.description FILTER html %]</td>
      <td>[% statusdef.sortkey %]</td>
-      <td>[% statusdef.product %]</td>
+      <td>[% statusdef.product FILTER html %]</td>
      <td>
        <a href="editattachstatuses.cgi?action=edit&id=[% statusdef.id %]">
            Edit</a>

--- a/template/default/buglist/buglist.html.tmpl
+++ b/template/default/buglist/buglist.html.tmpl
@@ -43,7 +43,7 @@
  [% END %]
  [% IF quip %]
-    <a href="quips.cgi"><i>[% quip %]</i></a>
+    <a href="quips.cgi"><i>[% quip FILTER html %]</i></a>
  [% END %]
 </div>

--- a/template/default/buglist/change-form.tmpl
+++ b/template/default/buglist/change-form.tmpl
@@ -246,8 +246,8 @@
  <select name="resolution" onchange="document.forms.changeform.knob[[% knum %]].checked=true">
    [% FOREACH resolution = resolutions %]
      [% NEXT IF !resolution %]
-      <option value="[% resolution %]" [% selected IF resolution == "FIXED" %]>
+      <option value="[% resolution FILTER html %]" [% selected IF resolution == "FIXED" %]>
-        [% resolution %]
+        [% resolution FILTER html %]
      </option>
    [% END %]
  </select><br />
@@ -279,7 +279,7 @@
  Reassign</A> bugs to
 </label>
 <input name="assigned_to" 
-       value="[% user %]"
+       value="[% user FILTER html %]"
       onchange="document.forms.changeform.knob[[% knum %]].checked = true;"
       size="32"><br />

--- a/template/default/global/header
+++ b/template/default/global/header
@@ -11,7 +11,7 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
  <head>
-    <title>[% title %]</title>
+    <title>[% title FILTER html %]</title>
    [% Param('headerhtml') %]

--- a/template/default/index.tmpl
+++ b/template/default/index.tmpl
@@ -56,7 +56,7 @@ function addSidebar() {
 [% IF username %]
  <a href="[% PerformSubsts(Param('mybugstemplate'), subst) %]">My Bugs</a><br>
  <a href="userprefs.cgi">Change password or user preferences</a><br>
-  <a href="relogin.cgi">Logout [% username %]</a><br>
+  <a href="relogin.cgi">Logout [% username FILTER html %]</a><br>
 [% ELSE %]
  <a href="query.cgi?GoAheadAndLogIn=1">Log in to an existing account</a><br>
  <a href="createaccount.cgi">Open a new Bugzilla account</a><br>

--- a/template/default/info/describe-components.tmpl
+++ b/template/default/info/describe-components.tmpl
@@ -19,9 +19,10 @@
  # Contributor(s): Bradley Baetz <bbaetz@student.usyd.edu.au>
  #%]
+[% filtered_product = product FILTER html %]
 [% INCLUDE global/header 
-  title = "Components for $product" 
+  title = "Components for $product"
-  h2 = product %]
+  h2 = filtered_product %]
 [% IF Param("useqacontact") %]
  [% numcols = 3 %]
@@ -70,7 +71,7 @@
    </td>
    <td>
      <a href="mailto:[% comp.initialowner %][% Param('emailsuffix') %]">
-      [% comp.initialowner %]</a>
+      [% comp.initialowner FILTER html %]</a>
    </td>
    [% IF Param("useqacontact") %]
      <td>

--- a/template/default/info/quips.tmpl
+++ b/template/default/info/quips.tmpl
@@ -27,7 +27,7 @@
 [% IF added_quip %]
  <p>
    <font color="red">
-      Your quip '<tt>[% added_quip %]</tt>' has been added.
+      Your quip '<tt>[% added_quip FILTER html %]</tt>' has been added.
    </font>
  </p>
 [% END %]

--- a/template/default/prefs/account.tmpl
+++ b/template/default/prefs/account.tmpl
@@ -69,7 +69,7 @@
      [% IF new_login_name %]
        <tr>
          <th align="right">Pending email address:</th>
-          <td>[% new_login_name %]</td>
+          <td>[% new_login_name FILTER html %]</td>
        </tr>
        <tr>
          <th align="right">Change request expires:</th>

--- a/template/default/prefs/userprefs.tmpl
+++ b/template/default/prefs/userprefs.tmpl
@@ -34,10 +34,11 @@
  #                displaying anything, and can contain an optional custom
  #                message if required (which Perl still evaluates as True).
  #%]
+[% filtered_login = login FILTER html %]
 [% INCLUDE global/header
   title = "User Preferences"
-   h2 = login
+   h2 = filtered_login
   style = "td.selected_tab {
              border-width: 2px 2px 0px;
              border-style: solid; 

--- a/template/default/show/comments.tmpl
+++ b/template/default/show/comments.tmpl
@@ -39,7 +39,7 @@
    <br>
    <i>------- Additional Comment
      <a name="c[% count %]" href="#c[% count %]">#[% count %]</a> From 
-      <a href="mailto:[% comment.email %]">[% comment.name %]</a>
+      <a href="mailto:[% comment.email FILTER html %]">[% comment.name FILTER html %]</a>
      [%+ comment.time %] -------
    </i>
  [% END %]

--- a/template/default/show/multiple.tmpl
+++ b/template/default/show/multiple.tmpl
@@ -96,7 +96,7 @@
      <td colspan="2">
      [% IF Param('usetargetmilestone') %]
          <b>Target Milestone:</b>&nbsp;
-          [% bug.target_milestone %]
+          [% bug.target_milestone FILTER html %]
      [% END %]
      </td>
    </tr>
@@ -109,14 +109,14 @@
    <tr>
      <td colspan="4">
-        <b>Summary:</b>&nbsp;[% bug.short_desc %]
+        <b>Summary:</b>&nbsp;[% bug.short_desc FILTER html %]
      </td>
    </tr>
    [% IF use_keywords %]
      <tr>
        <td colspan="4">
-          <b>Keywords: </b>&nbsp;[% bug.keywords %]
+          <b>Keywords: </b>&nbsp;[% bug.keywords FILTER html %]
        </td>
      </tr>
    [% END %]
@@ -151,6 +151,6 @@
 [% BLOCK cell %]
  <td>
    <b>[% attr.description%]:</b>&nbsp;
-    [% bug.${attr.name} %]
+    [% bug.${attr.name} FILTER html %]
  </td>
 [% END %]
--- a/template/default/show/show_bug.html.tmpl
+++ b/template/default/show/show_bug.html.tmpl
@@ -19,11 +19,12 @@
  # Contributor(s): Gervase Markham <gerv@gerv.net>
  #%]
+[% filtered_desc = bug.short_desc FILTER html %]
 [% UNLESS header_done %]
  [% INCLUDE global/header 
    title = "Bug $bug.bug_id - $bug.short_desc"
    h1 = "Bugzilla Bug $bug.bug_id"
-    h2 = bug.short_desc
+    h2 = filtered_desc
    extra = navigation_links()
   %]
 [% END %]

--- a/template/default/token/confirmemail.html.tmpl
+++ b/template/default/token/confirmemail.html.tmpl
@@ -27,7 +27,7 @@
 </p>
 <form method="post" action="token.cgi">
-  <input type="hidden" name="t" value=[% token %]>
+  <input type="hidden" name="t" value=[% token FILTER html %]>
  <input type="hidden" name="a" value="chgem">
  <table>
    <tr>

--- a/template/default/token/emailchangenew.txt.tmpl
+++ b/template/default/token/emailchangenew.txt.tmpl
@@ -27,10 +27,10 @@ for the [% oldemailaddress %] account to your address.
 To confirm the change, visit the following link:
-[% Param('urlbase') %]token.cgi?a=cfmem&t=[% token %]
+[% Param('urlbase') %]token.cgi?a=cfmem&t=[% token FILTER html %]
 If you are not the person who made this request, or you wish to cancel
 this request, visit the following link:
-[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token %]
+[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token FILTER html %]
--- a/template/default/token/emailchangeold.txt.tmpl
+++ b/template/default/token/emailchangeold.txt.tmpl
@@ -31,5 +31,5 @@ for your account to [% newemailaddress %].
 If you are not the person who made this request, or you wish to cancel
 this request, visit the following link:
-[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token %]
+[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token FILTER html %]