Escape values to input fields (and some 'title' and 'alt')

[friendica.git] / view / templates / intros.tpl

diff --git a/view/templates/intros.tpl b/view/templates/intros.tpl
index a14bcf39e63484907cbd00bcd2fc2336730f220e..74fb53b589f5a91c127857225fd5796eb0218ea6 100644 (file)
--- a/view/templates/intros.tpl
+++ b/view/templates/intros.tpl
@@ -4,13 +4,13 @@
 
 <p class="intro-desc">{{$str_notifytype}} {{$notify_type}}</p>
 <div class="intro-fullname" id="intro-fullname-{{$contact_id}}" >{{$fullname}}</div>
-<a class="intro-url-link" id="intro-url-link-{{$contact_id}}" href="{{$url}}" ><img id="photo-{{$contact_id}}" class="intro-photo" src="{{$photo}}" width="175" height=175" title="{{$fullname}}" alt="{{$fullname}}" /></a>
+<a class="intro-url-link" id="intro-url-link-{{$contact_id}}" href="{{$url}}" ><img id="photo-{{$contact_id}}" class="intro-photo" src="{{$photo}}" width="175" height=175" title="{{$fullname|escape:'html'}}" alt="{{$fullname|escape:'html'}}" /></a>
 <div class="intro-knowyou">{{$knowyou}}</div>
 <div class="intro-note" id="intro-note-{{$contact_id}}">{{$note}}</div>
 <div class="intro-wrapper-end" id="intro-wrapper-end-{{$contact_id}}"></div>
 <form class="intro-form" action="notifications/{{$intro_id}}" method="post">
-<input class="intro-submit-ignore" type="submit" name="submit" value="{{$ignore}}" />
-<input class="intro-submit-discard" type="submit" name="submit" value="{{$discard}}" />
+<input class="intro-submit-ignore" type="submit" name="submit" value="{{$ignore|escape:'html'}}" />
+<input class="intro-submit-discard" type="submit" name="submit" value="{{$discard|escape:'html'}}" />
 </form>
 <div class="intro-form-end"></div>
 
@@ -23,7 +23,7 @@
 
 {{$dfrn_text}}
 
-<input class="intro-submit-approve" type="submit" name="submit" value="{{$approve}}" />
+<input class="intro-submit-approve" type="submit" name="submit" value="{{$approve|escape:'html'}}" />
 </form>
 </div>
 <div class="intro-end"></div>