Commit 9b570df4 authored by chealer's avatar chealer

[FIX] Smarty {title} block escaping:

Double-escaped browser titles for escaped $content exposed with r24634
Raw H1 titles for correct $content (not escaped)
parent 0e225fa0
......@@ -53,7 +53,7 @@ function smarty_block_title($params, $content, &$smarty, $repeat) {
}
$html = '<h1>';
$html .= '<a class="' . $class . '"' . $metadata . ' href="' . $params['url'] . '">' . $content . "</a>\n";
$html .= '<a class="' . $class . '"' . $metadata . ' href="' . $params['url'] . '">' . htmlspecialchars($content) . "</a>\n";
if ($smarty->get_template_vars('print_page') != 'y') {
if ( $prefs['feature_help'] == 'y' && $prefs['helpurl'] != '' && $params['help'] != '' ) {
......
{if $blog_data.use_title eq 'y'}
{title}{$title|escape}{/title}
{title}{$title}{/title}
{/if}
{if $blog_data.use_breadcrumbs eq 'y'}
<div class="breadcrumbs"><a class="link" href="tiki-list_blogs.php">{tr}Blogs{/tr}</a> {$prefs.site_crumb_seper} {$title|escape}</div>
......
{title}{tr}Approve page changes in staging:{/tr} {$page|escape}{/title}
{title}{tr}Approve page changes in staging:{/tr} {$page}{/title}
<div class="navbar">
{assign var=thispage value=$page|escape:url}
......
{* $Id$ *}
{assign var=escuser value=$assign_user|escape:url}
{title}{tr}Assign User {$assign_user|escape} to Groups{/tr}{/title}
{title}{tr}Assign User {$assign_user} to Groups{/tr}{/title}
<div class="navbar">
{if $tiki_p_admin eq 'y'} {* only full admins can manage groups, not tiki_p_admin_users *}
......
{* $Id$ *}
{title}{if $parentId ne 0}{tr}Category{/tr} {$p_info.name|tr_if|escape}{else}{tr}Categories{/tr}{/if}{/title}
{title}{if $parentId ne 0}{tr}Category{/tr} {$p_info.name|tr_if}{else}{tr}Categories{/tr}{/if}{/title}
{if $parentId and $p_info.description}
<div class="description">{$p_info.description}</div>
......
{* $Id$ *}
{title}{tr}Copy page:{/tr}&nbsp;{$page|escape}{/title}
{title}{tr}Copy page:{/tr}&nbsp;{$page}{/title}
<div class="navbar">
{assign var=thispage value=$page|escape:url}
......
......@@ -32,9 +32,9 @@
{/if}
{if $translation_mode eq 'n'}
{if $beingStaged eq 'y' and $prefs.wikiapproval_hideprefix == 'y'}{assign var=pp value=$approvedPageName}{else}{assign var=pp value=$page}{/if}
{title}{if isset($hdr) && $prefs.wiki_edit_section eq 'y'}{tr}Edit Section{/tr}{else}{tr}Edit{/tr}{/if}: {$pp|escape}{if $pageAlias ne ''}&nbsp;({$pageAlias|escape}){/if}{/title}
{title}{if isset($hdr) && $prefs.wiki_edit_section eq 'y'}{tr}Edit Section{/tr}{else}{tr}Edit{/tr}{/if}: {$pp}{if $pageAlias ne ''}&nbsp;({$pageAlias}){/if}{/title}
{else}
{title}{tr}Update '{$page|escape}'{/tr}{/title}
{title}{tr}Update '{$page}'{/tr}{/title}
{/if}
{if $beingStaged eq 'y'}
......
{title}{tr}{$title|escape}{/tr}{/title}
{title}{tr}{$title}{/tr}{/title}
<div>
{$description|escape}
......
{title}{tr}Admin FAQ:{/tr} {$faq_info.title|escape}{/title}
{title}{tr}Admin FAQ:{/tr} {$faq_info.title}{/title}
<div class="navbar">
{button href="tiki-list_faqs.php" _text="{tr}List FAQs{/tr}"}
......
{* $Id$ *}
{title}
{tr}File Archive:{/tr} {if empty($file_info.name)}{$file_info.filename|escape}{else}{$file_info.name}{/if}
{tr}File Archive:{/tr} {if empty($file_info.name)}{$file_info.filename}{else}{$file_info.name}{/if}
{/title}
<div class="navbar">
......
{* $Id$ *}
<div style="margin:10px 20px 0px 20px">
{title}{tr}Forum:{/tr}&nbsp;{$forum_info.name|escape}{/title}
{title}{tr}Forum:{/tr}&nbsp;{$forum_info.name}{/title}
<div class="top_post">
{include file='comment.tpl' first='y' comment=$thread_info thread_style='commentStyle_plain'}
......
{title}{tr}Remove page:{/tr} {$page|escape} ({if $version == 'last'}{tr}Last Version{/tr}{else}{tr}Version:{/tr} {$version}{/if}){/title}
{title}{tr}Remove page:{/tr} {$page} ({if $version == 'last'}{tr}Last Version{/tr}{else}{tr}Version:{/tr} {$version}{/if}){/title}
<div class="navbar">
{assign var=thispage value=$page|escape:'url'}
......
{title}{tr}Rename page:{/tr}&nbsp;{$page|escape}{/title}
{title}{tr}Rename page:{/tr}&nbsp;{$page}{/title}
<div class="navbar">
{assign var=thispage value=$page|escape:url}
......
{title}{tr}Rollback page{/tr} {$page|escape} {tr}to version{/tr} {$version}{/title}
{title}{tr}Rollback page{/tr} {$page} {tr}to version{/tr} {$version}{/title}
<form action="tiki-rollback.php?page={$page|escape:url}&amp;version={$version|escape}&amp;rollback=y" method="post">
<input type="submit" name="rollback" value="{tr}Rollback{/tr}" />
......
{title}{tr}Stats for survey:{/tr} {$survey_info.name|escape}{/title}
{title}{tr}Stats for survey:{/tr} {$survey_info.name}{/title}
<div class="navbar">
{self_link print='y'}{icon _id='printer' align='right' hspace='1' alt="{tr}Print{/tr}"}{/self_link}
......
<form name="aform" formId='editpageform' action="{$form_action|default:'tiki-take_survey.php'}" method="post">
<input type="hidden" name="surveyId" value="{$surveyId|escape}" />
<input type="hidden" name="vote" value="yes" />
{if !isset($show_name) or $show_name eq 'y'}{title}{$survey_info.name|escape}{/title}{/if}
{if !isset($show_name) or $show_name eq 'y'}{title}{$survey_info.name}{/title}{/if}
{if $error_msg neq ''}
{remarksbox type="warning" title="{tr}Warning{/tr}"}{$error_msg}{/remarksbox}
{/if}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment