From 6f4c5b51cc965410cab969de77e2e4c38e4ffd8d Mon Sep 17 00:00:00 2001
From: mh <mh>
Date: Tue, 10 Dec 2002 09:40:33 +0000
Subject: [PATCH 1/1] wrap pretty much all freemarker variables (i.e the data)
 in encodeHTML(data..). this fixes tons of bugs in the admin, like when stuff
 dissappeats after quotes, etc.. also when attaching media, only show
 published media in the lists

---
 templates-dist/admin/content.template | 128 +++++++++++++++++-----------------
 1 file changed, 64 insertions(+), 64 deletions(-)

diff --git a/templates-dist/admin/content.template b/templates-dist/admin/content.template
index e128de46..bbacb048 100755
--- a/templates-dist/admin/content.template
+++ b/templates-dist/admin/content.template
@@ -12,12 +12,12 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
 
 <body bgcolor="#FFFFFF" link="#aaaaaa">
 <include "admin/head.template">
-<form method="post" action="${config.actionRoot}">
+<form method="post" action="${encodeHTML(config.actionRoot)}">
 	<input type="hidden" name="module" value="Content">
-	<input type="hidden" name="where" value="${data.where}">
-	<input type="hidden" name="offset" value="${data.offset}">
-	<input type="hidden" name="order" value="${data.order}">
-	<input type="hidden" name="id" value="${data.id}">
+	<input type="hidden" name="where" value="${encodeHTML(data.where)}">
+	<input type="hidden" name="offset" value="${encodeHTML(data.offset)}">
+	<input type="hidden" name="order" value="${encodeHTML(data.order)}">
+	<input type="hidden" name="id" value="${encodeHTML(data.id)}">
 	<if data.new>
 		<input type="hidden" name="do" value="insert">
 	<else>
@@ -32,7 +32,7 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
 		<b>${lang("content.owner")}:</b>
   </td>
 	<td>
-    ${data.login_user.login}
+    ${encodeHTML(data.login_user.login)}
   </td>
 	</font>
 	<td colspan="3">&nbsp;</td>
@@ -43,7 +43,7 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
     <b>${lang("content.import_date")}:</b>
   </td>
   <td>
-    ${data.date}
+    ${encodeHTML(data.date)}
   </td>
 	</font>
 	<td colspan="3">&nbsp;</td>
@@ -55,7 +55,7 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
     <b>${lang("content.lastchange_date")}:</b>
   </td>
   <td>
-		${data.webdb_lastchange}
+		${encodeHTML(data.webdb_lastchange)}
     <br>
   </td>
 	</font>
@@ -68,7 +68,7 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
     <b>${lang("content.create_date")}:</b>
   </td>
   <td colspan="3">
-  	${data.webdb_create}<br><br>${lang("edit")} (yyyy-mm-dd [HH:mm]):
+  	${encodeHTML(data.webdb_create)}<br><br>${lang("edit")} (yyyy-mm-dd [HH:mm]):
 	<input type="text" size="10" maxlength="16" name="webdb_create" value="">
     <br>
   </td>
@@ -78,11 +78,11 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
 
 <tr>
 	<td align="right" valign="top" bgcolor="#AAAAAA"><font color="#ffffff">
-		<B>${lang("content.topic")}&nbsp;<a href="${config.docRoot}/help/content.html">
-		<img src=" ${config.docRoot}/img/help.gif" border="0" align="absmiddle"></a>
+		<B>${lang("content.topic")}&nbsp;<a href="${encodeHTML(config.docRoot)}/help/content.html">
+		<img src=" ${encodeHTML(config.docRoot)}/img/help.gif" border="0" align="absmiddle"></a>
 		&nbsp;/&nbsp;${lang("content.feature")}:&nbsp;
-		<a href="${config.docRoot}/help/content.html">
-		<img src="${config.docRoot}/img/help.gif" border="0" align="absmiddle"></a>
+		<a href="${encodeHTML(config.docRoot)}/help/content.html">
+		<img src="${encodeHTML(config.docRoot)}/img/help.gif" border="0" align="absmiddle"></a>
 		</B></font>
 	</td>
 	<td colspan="4" >
@@ -91,12 +91,12 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
 		<td>
 		<select name="to_article_type">
 		<list extra.articletypePopupData as a>
-			<option value="${a.key}" <if (a.key == data.to_article_type)>selected</if>>${a.value}</option>
+			<option value="${encodeHTML(a.key)}" <if (a.key == data.to_article_type)>selected</if>>${encodeHTML(a.value)}</option>
 		</list>
 		</select>
 		<select name="to_feature">
 		<list extra.schwerpunktPopupData as s>
-			<option value="${s.key}" <if (s.key == data.to_feature)>selected</if>>${s.value}</option>
+			<option value="${encodeHTML(s.key)}" <if (s.key == data.to_feature)>selected</if>>${encodeHTML(s.value)}</option>
 		</list>
 		</select>
 		</td>
@@ -104,7 +104,7 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
 		<select name="to_topic" size="5" multiple>
 
 		<list extra.themenPopupData as t>
-		<option value="${t.key}" <list data.to_topics as to><if (t.key == to["id"])>selected</if></list>>${t.value}</option>
+		<option value="${encodeHTML(t.key)}" <list data.to_topics as to><if (t.key == to["id"])>selected</if></list>>${encodeHTML(t.value)}</option>
 		</list>
 
 		</select>
@@ -114,7 +114,7 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
 		<td>
 		<select name="to_language">
 		<list extra.languagePopupData as l>
-			<option value="${l.key}" <if (l.key == data.to_language)>selected</if>>${l.value}</option>
+			<option value="${encodeHTML(l.key)}" <if (l.key == data.to_language)>selected</if>>${encodeHTML(l.value)}</option>
 		</list>
 		</select>
 		<td>
@@ -125,37 +125,37 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
 <tr>
 	<td align="right" valign="top" bgcolor="#AAAAAA">
 		<B><font color="#ffffff">${lang("content.title")}:&nbsp;<br><br>${lang("content.subtitle")}:&nbsp;<br>
-		<a href="${config.docRoot}/help/content.html#title">
-		<img src="${config.docRoot}/img/help.gif" border="0" align="absmiddle"></a>
+		<a href="${encodeHTML(config.docRoot)}/help/content.html#title">
+		<img src="${encodeHTML(config.docRoot)}/img/help.gif" border="0" align="absmiddle"></a>
 		</font></B>
 	</td>
 	<td colspan="4">
-		<input type="text" size="40" name="title" value="${data.title}"><br>
-		<input type="text" size="20" name="subtitle" value="${data.subtitle}">
-		<input type="text" size="20" name="edittitle" value="${data.edittitle}">
+		<input type="text" size="40" name="title" value="${encodeHTML(data.title)}"><br>
+		<input type="text" size="20" name="subtitle" value="${encodeHTML(data.subtitle)}">
+		<input type="text" size="20" name="edittitle" value="${encodeHTML(data.edittitle)}">
 	</td>
 </tr>
 <tr>
    	<td align="right" valign="top" bgcolor="#AAAAAA">
 		<B><font color="#ffffff">${lang("content.location")}:</font>
 		<font color="#FFFFFF">
-		<a href="${config.docRoot}/help/content.html">
-		<img src="${config.docRoot}/img/help.gif" border="0" align="absmiddle"></a>
+		<a href="${encodeHTML(config.docRoot)}/help/content.html">
+		<img src="${encodeHTML(config.docRoot)}/img/help.gif" border="0" align="absmiddle"></a>
 		</font></B>
 	</td>
 	<td colspan="4" >
-		<input type="text" size="40" name="place" value="${data.place}">
+		<input type="text" size="40" name="place" value="${encodeHTML(data.place)}">
 	</td>
 </tr>
 <tr>
 	<td align="right" valign="top" bgcolor="#AAAAAA">
 		<font color="#ffffff"><B>${lang("content.creator")}:</B></font>
 		<font color="#ffffff">
-		<a href="${config.docRoot}/help/content.html">
-		<img src="${config.docRoot}/img/help.gif" border="0" align="absmiddle"></a></font>
+		<a href="${encodeHTML(config.docRoot)}/help/content.html">
+		<img src="${encodeHTML(config.docRoot)}/img/help.gif" border="0" align="absmiddle"></a></font>
 	</td>
 	<td colspan="4">
-		<input type="text" size="40" name="creator" value="${data.creator}"><br>
+		<input type="text" size="40" name="creator" value="${encodeHTML(data.creator)}"><br>
 	</td>
 </tr>
 
@@ -163,71 +163,71 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
 	<td align="right" valign="top" bgcolor="#AAAAAA">
 		<font color="#ffffff"><B>${lang("content.creator.email")}/${lang("content.creator.url")}:</B></font>
 		<font color="#ffffff">
-		<a href="${config.docRoot}/help/content.html">
-		<img src="${config.docRoot}/img/help.gif" border="0" align="absmiddle"></a></font>
+		<a href="${encodeHTML(config.docRoot)}/help/content.html">
+		<img src="${encodeHTML(config.docRoot)}/img/help.gif" border="0" align="absmiddle"></a></font>
 	</td>
 	<td colspan="4" >
-		<input type="text" size="20" name="creator_email" value="${data.creator_email}">
-		<input type="text" size="20" name="creator_main_url" value="${data.creator_main_url}">
+		<input type="text" size="20" name="creator_email" value="${encodeHTML(data.creator_email)}">
+		<input type="text" size="20" name="creator_main_url" value="${encodeHTML(data.creator_main_url)}">
 	</td>
 </tr>
 <tr>
 	<td align="right" valign="top" bgcolor="#AAAAAA">
 		<font color="#ffffff"><B>${lang("content.creator.address")}/${lang("content.creator.telephone")}:</B></font>
 		<font color="#ffffff">
-		<a href="${config.docRoot}/help/content.html">
-		<img src="${config.docRoot}/img/help.gif" border="0" align="absmiddle"></a></font>
+		<a href="${encodeHTML(config.docRoot)}/help/content.html">
+		<img src="${encodeHTML(config.docRoot)}/img/help.gif" border="0" align="absmiddle"></a></font>
 	</td>
 	<td colspan="4" >
-		<input type="text" size="20" name="creator_address" value="${data.creator_address}">
-		<input type="text" size="20" name="creator_phone" value="${data.creator_phone}">
+		<input type="text" size="20" name="creator_address" value="${encodeHTML(data.creator_address)}">
+		<input type="text" size="20" name="creator_phone" value="${encodeHTML(data.creator_phone)}">
 	</td>
 </tr>
 <tr>
   <td align="right" valign="top" bgcolor="#AAAAAA">
 		<B><font color="#ffffff">${lang("content.abstract")}:</font></B>
-		<a href="${config.docRoot}/help/content.html">
-		<img src="${config.docRoot}/img/help.gif" border="0" align="absmiddle"></a>
+		<a href="${encodeHTML(config.docRoot)}/help/content.html">
+		<img src="${encodeHTML(config.docRoot)}/img/help.gif" border="0" align="absmiddle"></a>
 	</td>
 	<td colspan="4">
-		<textarea cols="50" rows="15" name="description" wrap=virtual>${data.description}</textarea>
+		<textarea cols="50" rows="15" name="description" wrap=virtual>${encodeHTML(data.description)}</textarea>
 	</td>
 </tr>
 
 <tr>
     <td align="right" valign="top" bgcolor="#AAAAAA">
 		<B><font color="#ffffff">${lang("content.content")}:
-		<a href="${config.docRoot}/help/content.html">
-		<img src="${config.docRoot}/img/help.gif" border="0" align="absmiddle"></a>
+		<a href="${encodeHTML(config.docRoot)}/help/content.html">
+		<img src="${encodeHTML(config.docRoot)}/img/help.gif" border="0" align="absmiddle"></a>
 		${lang("content.html")}</font> <input type="checkbox" name="is_html" value="1"<if
 		data.is_html=="1"> checked</if>>&nbsp;
-		<a href="${config.docRoot}/help/content.html">
-		<img src="${config.docRoot}/img/help.gif" border="0" align="absmiddle"></a>
+		<a href="${encodeHTML(config.docRoot)}/help/content.html">
+		<img src="${encodeHTML(config.docRoot)}/img/help.gif" border="0" align="absmiddle"></a>
 	</font></b></td>
 	<td colspan="4">
-	<textarea cols="50" rows="20" name="content_data" wrap=virtual>${data.content_data}</textarea></td>
+	<textarea cols="50" rows="20" name="content_data" wrap=virtual>${encodeHTML(data.content_data)}</textarea></td>
 </tr>
 <!--
 <tr>
 	<td align="right" valign="top" bgcolor="#aaaaaa"><B><font color="#ffffff">Termin (von/bis)
 		<font color="#000000">
-		<a href="${config.docRoot}/help/content.html">
-		<img src="${config.docRoot}/img/help.gif" border="0" align="absmiddle"></a></font>
+		<a href="${encodeHTML(config.docRoot)}/help/content.html">
+		<img src="${encodeHTML(config.docRoot)}/img/help.gif" border="0" align="absmiddle"></a></font>
 		</font>:</B></td>
 	<td nowrap>
-		<input type="text" size="8" maxlength="8" name="date_from" value="${data.date_from}">
-		<input type="text" size="8" maxlength="8" name="date_to" value="${data.date_to}">
+		<input type="text" size="8" maxlength="8" name="date_from" value="${encodeHTML(data.date_from)}">
+		<input type="text" size="8" maxlength="8" name="date_to" value="${encodeHTML(data.date_to)}">
 	</td>
 	<td>
 		&nbsp;
 	</td>
 	<td align="right" valign="top" bgcolor="#aaaaaa">
 		<B><font color="#ffffff">Termin Name:&nbsp;
-		<a href="${config.docRoot}/help/content.html"><img src="${config.docRoot}/img/help.gif" border="0" align="absmiddle"></a>
+		<a href="${encodeHTML(config.docRoot)}/help/content.html"><img src="${encodeHTML(config.docRoot)}/img/help.gif" border="0" align="absmiddle"></a>
 		</font></B>
 	</td>
 	<td>
-		<input type="text" size="25" name="date_name" value="${data.date_name}">
+		<input type="text" size="25" name="date_name" value="${encodeHTML(data.date_name)}">
 	</td>
 </tr>
 -->
@@ -237,7 +237,7 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
 		<i>${lang("content.internal")}</i></font>
 	</td>
 	<td colspan="4">
-		<textarea cols="50" rows="6" name="comment" wrap=virtual>${data.comment}</textarea>
+		<textarea cols="50" rows="6" name="comment" wrap=virtual>${encodeHTML(data.comment)}</textarea>
 	</td>
 </tr>
 
@@ -246,7 +246,7 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
 	<td>&nbsp;</td>
 	<td>&nbsp;</td>
 	<td colspan="2" align="right" valign="top">
-		frei <a href="${config.docRoot}/help/content.html"><img src="${config.docRoot}/img/help.gif" border="0" align="absmiddle"></a>:
+		frei <a href="${encodeHTML(config.docRoot)}/help/content.html"><img src="${encodeHTML(config.docRoot)}/img/help.gif" border="0" align="absmiddle"></a>:
 		<input type="checkbox" name="is_published" value="1"<if data.is_published!="0" && data.is_published!=""> checked</if>>
 		<if data.new>
 		<input type="submit" name="save" value="${lang("insert")}">
@@ -263,8 +263,8 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
 	<td align=right valign=top bgcolor="#aaaaaa">
   		<B><font color="#ffffff">${lang("content.images")}:</B><br></td>
 	<td colspan="4" align="left" valign="top">
-		<a href="${config.actionRoot}?module=Images&do=edit&id=${m["id"]}"><img src="${config.actionRoot}?module=Images&do=getIcon&id=${m["id"]}" alt="edit" border="0"></a>
-  		<a href="${config.actionRoot}?module=Content&do=dettach&cid=${data.id}&mid=${m["id"]}">${lang("delete")}</a>
+		<a href="${encodeHTML(config.actionRoot)}?module=Images&do=edit&id=${m["id"]}"><img src="${encodeHTML(config.actionRoot)}?module=Images&do=getIcon&id=${m["id"]}" alt="edit" border="0"></a>
+  		<a href="${encodeHTML(config.actionRoot)}?module=Content&do=dettach&cid=${encodeHTML(data.id)}&mid=${m["id"]}">${lang("delete")}</a>
 	</td>
 </tr>
 </list>
@@ -272,7 +272,7 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
 	<td align=right valign=top bgcolor="#aaaaaa">
   		<B><font color="#ffffff">${lang("content.media")}:</B><br></td>
 	<td colspan="4" align="left" valign="top">
-  		<a href="${config.actionRoot}?module=Images&do=list&cid=${data.id}">${lang("content.addimage")}</a>
+  		<a href="${encodeHTML(config.actionRoot)}?module=Images&do=list&cid=${encodeHTML(data.id)}&query_is_published=1">${lang("content.addimage")}</a>
 	</td>
 </tr>
 <list data.to_media_audio as m>
@@ -280,8 +280,8 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
 	<td align=right valign=top bgcolor="#aaaaaa">
   		<B><font color="#ffffff">${lang("content.audio")}:</B><br></td>
 	<td colspan="4" align="left" valign="top">
-		<a href="${config.actionRoot}?module=Audio&do=edit&id=${m["id"]}"><img src="${config.docRoot}/img/${m["big_icon"]}" alt="edit" border="0"></a>
-  		<a href="${config.actionRoot}?module=Content&do=dettach&cid=${data.id}&mid=${m["id"]}">${lang("delete")}</a>
+		<a href="${encodeHTML(config.actionRoot)}?module=Audio&do=edit&id=${m["id"]}"><img src="${encodeHTML(config.docRoot)}/img/${m["big_icon"]}" alt="edit" border="0"></a>
+  		<a href="${encodeHTML(config.actionRoot)}?module=Content&do=dettach&cid=${encodeHTML(data.id)}&mid=${m["id"]}">${lang("delete")}</a>
 	</td>
 </tr>
 </list>
@@ -289,7 +289,7 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
 	<td align=right valign=top bgcolor="#aaaaaa">
   		<B><font color="#ffffff">${lang("content.media")}:</B><br></td>
 	<td colspan="4" align="left" valign="top">
-  		<a href="${config.actionRoot}?module=Audio&do=list&cid=${data.id}">${lang("content.addaudio")}</a>
+  		<a href="${encodeHTML(config.actionRoot)}?module=Audio&do=list&cid=${encodeHTML(data.id)}&query_is_published=1">${lang("content.addaudio")}</a>
 	</td>
 </tr>
 <list data.to_media_video as m>
@@ -297,8 +297,8 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
 	<td align=right valign=top bgcolor="#aaaaaa">
   		<B><font color="#ffffff">${lang("content.video")}:</B><br></td>
 	<td colspan="4" align="left" valign="top">
-		<a href="${config.actionRoot}?module=Video&do=edit&id=${m["id"]}"><img src="${config.docRoot}/img/${m["big_icon"]}" alt="edit" border="0"></a>
-  		<a href="${config.actionRoot}?module=Content&do=dettach&cid=${data.id}&mid=${m["id"]}">${lang("delete")}</a>
+		<a href="${encodeHTML(config.actionRoot)}?module=Video&do=edit&id=${m["id"]}"><img src="${encodeHTML(config.docRoot)}/img/${m["big_icon"]}" alt="edit" border="0"></a>
+  		<a href="${encodeHTML(config.actionRoot)}?module=Content&do=dettach&cid=${encodeHTML(data.id)}&mid=${m["id"]}">${lang("delete")}</a>
 	</td>
 </tr>
 </list>
@@ -306,7 +306,7 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
 	<td align=right valign=top bgcolor="#aaaaaa">
   		<B><font color="#ffffff">${lang("content.media")}:</B><br></td>
 	<td colspan="4" align="left" valign="top">
-  		<a href="${config.actionRoot}?module=Video&do=list&cid=${data.id}">${lang("content.addvideo")}</a>
+  		<a href="${encodeHTML(config.actionRoot)}?module=Video&do=list&cid=${encodeHTML(data.id)}&query_is_published=1">${lang("content.addvideo")}</a>
 	</td>
 </tr>
 <list data.to_media_other as m>
@@ -314,8 +314,8 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
 	<td align=right valign=top bgcolor="#aaaaaa">
   		<B><font color="#ffffff">${lang("content.other")}:</B><br></td>
 	<td colspan="4" align="left" valign="top">
-		<a href="${config.actionRoot}?module=OtherMedia&do=edit&id=${m["id"]}"><img src="${config.docRoot}/img/${m["big_icon"]}" alt="edit" border="0"></a>
-  		<a href="${config.actionRoot}?module=Content&do=dettach&cid=${data.id}&mid=${m["id"]}">${lang("delete")}</a>
+		<a href="${encodeHTML(config.actionRoot)}?module=OtherMedia&do=edit&id=${m["id"]}"><img src="${encodeHTML(config.docRoot)}/img/${m["big_icon"]}" alt="edit" border="0"></a>
+  		<a href="${encodeHTML(config.actionRoot)}?module=Content&do=dettach&cid=${encodeHTML(data.id)}&mid=${m["id"]}">${lang("delete")}</a>
 	</td>
 </tr>
 </list>
@@ -323,7 +323,7 @@ p {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt}
 	<td align=right valign=top bgcolor="#aaaaaa">
   		<B><font color="#ffffff">${lang("content.media")}:</B><br></td>
 	<td colspan="4" align="left" valign="top">
-  		<a href="${config.actionRoot}?module=OtherMedia&do=list&cid=${data.id}">${lang("content.addother")}</a>
+  		<a href="${encodeHTML(config.actionRoot)}?module=OtherMedia&do=list&cid=${encodeHTML(data.id)}&query_is_published=1">${lang("content.addother")}</a>
 	</td>
 </tr>
 </table>
-- 
2.11.0