Remove escaping exception for form field values

- This could allow code injection from a malicious query leading to a form page
- Thanks to Laura Pîrcălăboiu for the report
This commit is contained in:
Hypolite Petovan 2023-08-02 16:29:50 +02:00
parent 13cb8bb395
commit 6f9e15ea57
7 changed files with 9 additions and 16 deletions

View file

@ -1,4 +1,3 @@
<div class='field combobox'> <div class='field combobox'>
<label for='id_{{$field.0}}' id='id_{{$field.0}}_label'>{{$field.1}}</label> <label for='id_{{$field.0}}' id='id_{{$field.0}}_label'>{{$field.1}}</label>
{{* html5 don't work on Chrome, Safari and IE9 {{* html5 don't work on Chrome, Safari and IE9
@ -6,13 +5,13 @@
<datalist id="data_{{$field.0}}"> <datalist id="data_{{$field.0}}">
{{foreach $field.4 as $opt=>$val}}<option value="{{$val}}">{{/foreach}} {{foreach $field.4 as $opt=>$val}}<option value="{{$val}}">{{/foreach}}
</datalist> *}} </datalist> *}}
<input id="id_{{$field.0}}" type="text" value="{{$field.2 nofilter}}" aria-describedby='{{$field.0}}_tip'> <input id="id_{{$field.0}}" type="text" value="{{$field.2}}" aria-describedby='{{$field.0}}_tip'>
<select id="select_{{$field.0}}" onChange="$('#id_{{$field.0}}').val($(this).val())"> <select id="select_{{$field.0}}" onChange="$('#id_{{$field.0}}').val($(this).val())">
<option value="">{{$field.5}}</option> <option value="">{{$field.5}}</option>
{{foreach $field.4 as $opt=>$val}}<option value="{{$val}}">{{$val}}</option>{{/foreach}} {{foreach $field.4 as $opt=>$val}}<option value="{{$val}}">{{$val}}</option>{{/foreach}}
</select> </select>
{{if $field.3}} {{if $field.3}}
<span class="field_help" role="tooltip" id="{{$field.0}}_tip">{{$field.3 nofilter}}</span> <span class="field_help" role="tooltip" id="{{$field.0}}_tip">{{$field.3 nofilter}}</span>
{{/if}} {{/if}}

View file

@ -1,7 +1,6 @@
<div class='field input openid' id='wrapper_{{$field.0}}'> <div class='field input openid' id='wrapper_{{$field.0}}'>
<label for='id_{{$field.0}}'>{{$field.1}}</label> <label for='id_{{$field.0}}'>{{$field.1}}</label>
<input name='{{$field.0}}' id='id_{{$field.0}}' type="text" value="{{$field.2 nofilter}}" {{if $field.4}} readonly="readonly" {{/if}} aria-describedby='{{$field.0}}_tip'> <input name='{{$field.0}}' id='id_{{$field.0}}' type="text" value="{{$field.2}}" {{if $field.4}} readonly="readonly" {{/if}} aria-describedby='{{$field.0}}_tip'>
{{if $field.3}} {{if $field.3}}
<span class="field_help" role="tooltip" id="{{$field.0}}_tip">{{$field.3 nofilter}}</span> <span class="field_help" role="tooltip" id="{{$field.0}}_tip">{{$field.3 nofilter}}</span>
{{/if}} {{/if}}

View file

@ -1,7 +1,6 @@
<div class="field password" id="wrapper_{{$field.0}}"> <div class="field password" id="wrapper_{{$field.0}}">
<label for="id_{{$field.0}}">{{$field.1}}{{if $field.4}} <span class="required" title="{{$field.4}}">*</span>{{/if}}</label> <label for="id_{{$field.0}}">{{$field.1}}{{if $field.4}} <span class="required" title="{{$field.4}}">*</span>{{/if}}</label>
<input type="password" name="{{$field.0}}" id="id_{{$field.0}}" value="{{$field.2 nofilter}}"{{if $field.4}} required{{/if}}{{if $field.5 eq "autofocus"}} autofocus{{elseif $field.5}} {{$field.5}}{{/if}}{{if $field.6}} pattern="(($field.6}}"{{/if}} aria-describedby="{{$field.0}}_tip"> <input type="password" name="{{$field.0}}" id="id_{{$field.0}}" value="{{$field.2}}"{{if $field.4}} required{{/if}}{{if $field.5 eq "autofocus"}} autofocus{{elseif $field.5}} {{$field.5}}{{/if}}{{if $field.6}} pattern="(($field.6}}"{{/if}} aria-describedby="{{$field.0}}_tip">
{{if $field.3}} {{if $field.3}}
<span class="field_help" role="tooltip" id="{{$field.0}}_tip">{{$field.3 nofilter}}</span> <span class="field_help" role="tooltip" id="{{$field.0}}_tip">{{$field.3 nofilter}}</span>
{{/if}} {{/if}}

View file

@ -1,9 +1,8 @@
<div class="form-group field input color"> <div class="form-group field input color">
<label for="id_{{$field.0}}" id="label_{{$field.0}}">{{$field.1}}{{if $field.4}} <span class="required" title="{{$field.4}}">*</span>{{/if}}</label> <label for="id_{{$field.0}}" id="label_{{$field.0}}">{{$field.1}}{{if $field.4}} <span class="required" title="{{$field.4}}">*</span>{{/if}}</label>
<div class="input-group" id="{{$field.0}}"> <div class="input-group" id="{{$field.0}}">
<span class="input-group-addon"><i></i></span> <span class="input-group-addon"><i></i></span>
<input class="form-control color" name="{{$field.0}}" id="id_{{$field.0}}" type="text" value="{{$field.2 nofilter}}"{{if $field.4}} required{{/if}} aria-describedby="{{$field.0}}_tip"> <input class="form-control color" name="{{$field.0}}" id="id_{{$field.0}}" type="text" value="{{$field.2}}"{{if $field.4}} required{{/if}} aria-describedby="{{$field.0}}_tip">
</div> </div>
{{if $field.3}} {{if $field.3}}
<span class="help-block" id="{{$field.0}}_tip" role="tooltip">{{$field.3 nofilter}}</span> <span class="help-block" id="{{$field.0}}_tip" role="tooltip">{{$field.3 nofilter}}</span>

View file

@ -1,8 +1,7 @@
<div class="form-group field input file"> <div class="form-group field input file">
<label for="id_{{$field.0}}" id="label_{{$field.0}}">{{$field.1}}{{if $field.4}} <span class="required" title="{{$field.4}}">*</span>{{/if}}</label> <label for="id_{{$field.0}}" id="label_{{$field.0}}">{{$field.1}}{{if $field.4}} <span class="required" title="{{$field.4}}">*</span>{{/if}}</label>
<div class="input-group" id="{{$field.0}}"> <div class="input-group" id="{{$field.0}}">
<input class="form-control file" name="{{$field.0}}" id="id_{{$field.0}}" type="text" value="{{$field.2 nofilter}}"{{if $field.4}} required{{/if}} aria-describedby="{{$field.0}}_tip"> <input class="form-control file" name="{{$field.0}}" id="id_{{$field.0}}" type="text" value="{{$field.2}}"{{if $field.4}} required{{/if}} aria-describedby="{{$field.0}}_tip">
<span class="input-group-addon image-select"><i class="fa fa-picture-o"></i></span> <span class="input-group-addon image-select"><i class="fa fa-picture-o"></i></span>
</div> </div>
{{if $field.3}} {{if $field.3}}

View file

@ -1,7 +1,6 @@
<div id="id_{{$field.0}}_wrapper" class="form-group field input openid"> <div id="id_{{$field.0}}_wrapper" class="form-group field input openid">
<label for="id_{{$field.0}}" id="label_{{$field.0}}">{{$field.1}}</label> <label for="id_{{$field.0}}" id="label_{{$field.0}}">{{$field.1}}</label>
<input class="form-control" name="{{$field.0}}" id="id_{{$field.0}}" type="text" value="{{$field.2 nofilter}}" {{if $field.4}} readonly="readonly" {{/if}} aria-describedby="{{$field.0}}_tip"> <input class="form-control" name="{{$field.0}}" id="id_{{$field.0}}" type="text" value="{{$field.2}}" {{if $field.4}} readonly="readonly" {{/if}} aria-describedby="{{$field.0}}_tip">
{{if $field.3}} {{if $field.3}}
<span class="help-block" id="{{$field.0}}_tip" role="tooltip">{{$field.3 nofilter}}</span> <span class="help-block" id="{{$field.0}}_tip" role="tooltip">{{$field.3 nofilter}}</span>
{{/if}} {{/if}}

View file

@ -1,7 +1,6 @@
<div id="id_{{$field.0}}_wrapper" class="form-group field input password"> <div id="id_{{$field.0}}_wrapper" class="form-group field input password">
<label for="id_{{$field.0}}" id="label_{{$field.0}}">{{$field.1}}{{if $field.4}} <span class="required" title="{{$field.4}}">*</span>{{/if}}</label> <label for="id_{{$field.0}}" id="label_{{$field.0}}">{{$field.1}}{{if $field.4}} <span class="required" title="{{$field.4}}">*</span>{{/if}}</label>
<input class="form-control" name="{{$field.0}}" id="id_{{$field.0}}" type="password" value="{{$field.2 nofilter}}" {{if $field.4}} required{{/if}}{{if $field.5 eq "autofocus"}} autofocus{{elseif $field.5}} {{$field.5}}{{/if}}{{if $field.6}} pattern="{{$field.6}}"{{/if}} aria-describedby="{{$field.0}}_tip"> <input class="form-control" name="{{$field.0}}" id="id_{{$field.0}}" type="password" value="{{$field.2}}" {{if $field.4}} required{{/if}}{{if $field.5 eq "autofocus"}} autofocus{{elseif $field.5}} {{$field.5}}{{/if}}{{if $field.6}} pattern="{{$field.6}}"{{/if}} aria-describedby="{{$field.0}}_tip">
{{if $field.3}} {{if $field.3}}
<span class="help-block" id="{{$field.0}}_tip" role="tooltip">{{$field.3 nofilter}}</span> <span class="help-block" id="{{$field.0}}_tip" role="tooltip">{{$field.3 nofilter}}</span>
{{/if}} {{/if}}