Some more escaping

diff --git a/mod/dirfind.php b/mod/dirfind.php
index 2609760e91df0fc50d86c1935699ec586a8a624a..7f1a6691f59f6da79232434a57ad29bb44eb9883 100644 (file)
--- a/mod/dirfind.php
+++ b/mod/dirfind.php
@@ -235,7 +235,7 @@ function dirfind_content(App $a, $prefix = "") {
                                        'alt_text' => $alt_text,
                                        'url' => Model\Contact::magicLink($jj->url),
                                        'itemurl' => $itemurl,
-                                       'name' => htmlentities($jj->name),
+                                       'name' => $jj->name,
                                        'thumb' => ProxyUtils::proxifyUrl($jj->photo, false, ProxyUtils::SIZE_THUMB),
                                        'img_hover' => $jj->tags,
                                        'conntxt' => $conntxt,

diff --git a/view/templates/contact_template.tpl b/view/templates/contact_template.tpl
index 06918533ca0ee4bcfcbbb33b194142b6d7683cc0..6845c6256261fb6b31b7977e28ec6e1ec2f17d5b 100644 (file)
--- a/view/templates/contact_template.tpl
+++ b/view/templates/contact_template.tpl
@@ -5,7 +5,7 @@
                onmouseover="if (typeof t{{$contact.id}} != 'undefined') clearTimeout(t{{$contact.id}}); openMenu('contact-photo-menu-button-{{$contact.id}}')" 
                onmouseout="t{{$contact.id}}=setTimeout('closeMenu(\'contact-photo-menu-button-{{$contact.id}}\'); closeMenu(\'contact-photo-menu-{{$contact.id}}\');',200)" >
 
-                       <a href="{{$contact.url}}" title="{{$contact.img_hover}}" /><img src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name}}" /></a>
+                       <a href="{{$contact.url}}" title="{{$contact.img_hover|escape}}" /><img src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name|escape}}" /></a>
 
                        {{if $multiselect}}
                        <input type="checkbox" class="contact-select" name="contact_batch[]" value="{{$contact.id}}">
@@ -31,7 +31,7 @@
 
        <div class="contact-entry-desc">
                <div class="contact-entry-name" id="contact-entry-name-{{$contact.id}}" >
-                       {{$contact.name}}
+                       {{$contact.name|escape}}
                        {{if $contact.account_type}} <span class="contact-entry-details" id="contact-entry-accounttype-{{$contact.id}}">({{$contact.account_type}})</span>{{/if}}
                </div>
                {{if $contact.alt_text}}<div class="contact-entry-details" id="contact-entry-rel-{{$contact.id}}" >{{$contact.alt_text}}</div>{{/if}}

diff --git a/view/theme/frio/templates/contact_template.tpl b/view/theme/frio/templates/contact_template.tpl
index 4f07ad2b1d9519ae2233b5911dd24ab9665af8a1..1b56a6b62cc4aea8a690adb5dcc9fe880548907e 100644 (file)
--- a/view/theme/frio/templates/contact_template.tpl
+++ b/view/theme/frio/templates/contact_template.tpl
@@ -220,7 +220,7 @@ We use this part to filter the contacts with jquery.textcomplete *}}
                        {{* The contact description (e.g. Name, Network, kind of connection and so on *}}
                        <div class="contact-entry-desc">
                                <div class="contact-entry-name" id="contact-entry-name-{$id}">
-                                       <h4 class="media-heading"><a href="{$url}">{$name}</a>
+                                       <h4 class="media-heading"><a href="{$url}">{$name|escape}</a>
                                        {if $account_type} <small class="contact-entry-details" id="contact-entry-accounttype-{$id}">({$account_type})</small>{/if}
                                        {if $account_type == 'Forum'}<i class="fa fa-comments-o" aria-hidden="true"></i>{/if}
                                        {{* @todo this needs some changing in core because $contact.account_type contains a translated string which may notbe the same in every language *}}

diff --git a/view/theme/frio/templates/mail_list.tpl b/view/theme/frio/templates/mail_list.tpl
index 225fd71c183786ac1b73cae170595952f52b9136..e6a024f11c68a123d25e8a823f9d0001abebbf7e 100644 (file)
--- a/view/theme/frio/templates/mail_list.tpl
+++ b/view/theme/frio/templates/mail_list.tpl
@@ -11,7 +11,7 @@
                        <div class="media-body">
                                <div class="text-muted time ago pull-right" title="{{$date}}">{{$ago}}</div>
 
-                               <h4 class="media-heading">{{$from_name}}</h4>
+                               <h4 class="media-heading">{{$from_name|escape}}</h4>
                                <div class="mail-list-subject"><a href="message/{{$id}}">{{$subject}}</a></div>
                                <a href="message/dropconv/{{$id}}" onclick="return confirmDelete();"  title="{{$delete}}" class="pull-right" onmouseover="imgbright(this);" onmouseout="imgdull(this);">
                                <i class="faded-icon fa fa-trash"></i>

diff --git a/view/theme/frio/templates/wall_thread.tpl b/view/theme/frio/templates/wall_thread.tpl
index 961c241a1407223528de3308ccd2f16a054b0103..f90b2f72a44a9aad46b5b33ac591376d1ca47b29 100644 (file)
--- a/view/theme/frio/templates/wall_thread.tpl
+++ b/view/theme/frio/templates/wall_thread.tpl
@@ -252,7 +252,7 @@ as the value of $top_child_total (this is done at the end of this file)
                        {{/if}}
 
                        {{if $item.title}}
-                       <span class="wall-item-title" id="wall-item-title-{{$item.id}}"><h4 class="media-heading"><a href="{{$item.plink.href}}" class="{{$item.sparkle}} p-name">{{$item.title}}</a></h4><br /></span>
+                       <span class="wall-item-title" id="wall-item-title-{{$item.id}}"><h4 class="media-heading"><a href="{{$item.plink.href}}" class="{{$item.sparkle}} p-name">{{$item.title|escape}}</a></h4><br /></span>
                        {{/if}}
 
                        <div class="wall-item-body e-content {{if !$item.title}}p-name{{/if}}" id="wall-item-body-{{$item.id}}">{{$item.body}}</div>