From 17436a20a18f14d0b910ee1e5ba0564cd14d18de Mon Sep 17 00:00:00 2001
From: mh <mh>
Date: Tue, 10 Dec 2002 09:44:10 +0000
Subject: [PATCH] wrap pretty much all freemarker variables (i.e the data) in
 encodeHTML(data..). this fixes tons of bugs in the admin, like when stuff
 dissappeats after quotes, etc.. also add query_text, query_field, etc.. to
 the delete request URL so that after deleting a comment, you come back to the
 same place on your list.. also get rid of useless offset hidden parameter
 which causes a bug when searching and your offset is above 0

---
 templates-dist/admin/commentlist.template | 31 +++++++++++++++----------------
 1 file changed, 15 insertions(+), 16 deletions(-)

diff --git a/templates-dist/admin/commentlist.template b/templates-dist/admin/commentlist.template
index 5cd065a3..be81a56d 100755
--- a/templates-dist/admin/commentlist.template
+++ b/templates-dist/admin/commentlist.template
@@ -1,7 +1,7 @@
 <html>
 <head>
 	<title>${lang("commentlist.htmltitle")}</title>
-	<link rel="stylesheet" type="text/css" href="${config.docRoot}/admin.css">
+	<link rel="stylesheet" type="text/css" href="${encodeHTML(config.docRoot)}/admin.css">
 
 </head>
 
@@ -12,11 +12,10 @@
 <table border="0" cellpadding="2" cellspacing="1">
   <tr>
     <td colspan="5">
-        <form method="post" action="${config.actionRoot}">
+        <form method="post" action="${encodeHTML(config.actionRoot)}">
 	<input type="hidden" name="module" value="Comment">
 	<input type="hidden" name="do" value="list">
-	<input type="hidden" name="offset" value="${data.offset}">
-	<input type="text" size="10" maxlength="20" name="query_text" value="${data.query_text}">
+	<input type="text" size="10" maxlength="20" name="query_text" value="${encodeHTML(data.query_text)}">
 	<select name="query_field">
     <option value="title"<if data.query_field=="title"> selected</if>>${lang("comment.title")}</option>
     <option value="creator"<if data.query_field=="creator"> selected</if>>${lang("comment.creator")}</option>
@@ -48,45 +47,45 @@
   <list data.contentlist as entry>
   <tr <if grey=="1"><assign grey="0">class="list1"<else><assign grey="1">class="list2"</if>>
 
-		<td>${entry.webdb_create_short}<br>
+		<td>${encodeHTML(entry.webdb_create_short)}<br>
   	<if entry.is_published=="0"><font color="Brown">V</font><else>-</if>
 		</td>
 
 		<td>
-			<if entry.title><b>${entry.title}</b><br></if>
-			<if entry.creator>Von: ${entry.creator}<br></if>
-			<font size="-1">${entry.description}</font>
-			<if entry.main_url><br>URL: ${entry.main_url}</if>
-			<br><a href="${config.actionRoot}?module=Comment&do=edit&order=${data.order}&offset=${data.offset}&id=${entry.id}">${lang("edit")}</a>
+			<if entry.title><b>${encodeHTML(entry.title)}</b><br></if>
+			<if entry.creator>Von: ${encodeHTML(entry.creator)}<br></if>
+			<font size="-1">${encodeHTML(entry.description)}</font>
+			<if entry.main_url><br>URL: ${encodeHTML(entry.main_url)}</if>
+			<br><a href="${encodeHTML(config.actionRoot)}?module=Comment&do=edit&order=${encodeHTML(data.order)}&offset=${encodeHTML(data.offset)}&id=${encodeHTML(entry.id)}">${lang("edit")}</a>
 		</td>
 
 
 		<td>
 				${data.articleHash[entry.to_media]["title"]}<br>
-				<a href="${config.actionRoot}?module=Content&do=edit&id=${data.articleHash[entry.to_media]["id"]}">
+				<a href="${encodeHTML(config.actionRoot)}?module=Content&do=edit&id=${data.articleHash[entry.to_media]["id"]}">
 				edit</a> |
-				<a href="${config.productionHost}${config.producerDocRoot}${data.articleHash[entry.to_media]["publish_path"]}${data.articleHash[entry.to_media]["id"]}.shtml">
+				<a href="${encodeHTML(config.productionHost)}${encodeHTML(config.producerDocRoot)}${data.articleHash[entry.to_media]["publish_path"]}${data.articleHash[entry.to_media]["id"]}.shtml">
 				view</a>
 		</td>
 
-		<td><font size="1">&nbsp;<a href="${config.actionRoot}?module=Comment&do=delete&id=${entry.id}">${lang("delete")}</a>
+		<td><font size="1">&nbsp;<a href="${config.actionRoot}?module=Comment&do=delete&id=${entry.id}&query_text=${encodeHTML(data.query_text_encoded)}&query_field=${encodeHTML(data.query_field)}&query_is_published=${data.query_is_published}&query_media_folder=${data.query_media_folder}&offset=${data.offset}&order=${data.order}">${lang("delete")}</a>
 			</font></td>
 
 	</tr>
   </list>
 
   <tr>
-    <td colspan="3" bgcolor="#006600"><font color="#ffffff">${data.count} ${lang("records")}
+    <td colspan="3" bgcolor="#006600"><font color="#ffffff">${encodeHTML(data.count)} ${lang("records")}
       / ${lang("show_from_to", data.from, data.to)}</font></td>
     <td>&nbsp;</td>
   </tr>
 <tr><td>
 
 <if data.prev>
-<a href="${config.actionRoot}?module=Comment&do=list&order=${data.order}&query_text=${data.query_text_encoded}&query_field=${data.query_field}&query_is_published=${data.query_is_published}&query_media_folder=${data.query_media_folder}&offset=${data.prev}&prev=zur&uuml;ck">zurueck</a>&nbsp;
+<a href="${encodeHTML(config.actionRoot)}?module=Comment&do=list&order=${encodeHTML(data.order)}&query_text=${encodeHTML(data.query_text_encoded)}&query_field=${encodeHTML(data.query_field)}&query_is_published=${encodeHTML(data.query_is_published)}&query_media_folder=${encodeHTML(data.query_media_folder)}&offset=${encodeHTML(data.prev)}&prev=zur&uuml;ck">zurueck</a>&nbsp;
 </if>
 <if data.next>
-<a href="${config.actionRoot}?module=Comment&do=list&order=${data.order}&query_text=${data.query_text_encoded}&query_field=${data.query_field}&query_is_published=${data.query_is_published}&query_media_folder=${data.query_media_folder}&offset=${data.next}&next=weiter">weiter</a>
+<a href="${encodeHTML(config.actionRoot)}?module=Comment&do=list&order=${encodeHTML(data.order)}&query_text=${encodeHTML(data.query_text_encoded)}&query_field=${encodeHTML(data.query_field)}&query_is_published=${encodeHTML(data.query_is_published)}&query_media_folder=${encodeHTML(data.query_media_folder)}&offset=${encodeHTML(data.next)}&next=weiter">weiter</a>
 </if>
 </td></tr>
 <else>
-- 
2.11.0