From aac678de48da6057ab9c93196755bacd49ef1a01 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Wed, 10 Oct 2018 13:08:24 +0900
Subject: [PATCH] Explicitly declare noescape

---
 common/tpl/common_layout.html                          | 10 +++++-----
 common/tpl/default_layout.html                         |  2 +-
 common/tpl/popup_layout.html                           |  2 +-
 layouts/default/layout.html                            |  2 +-
 layouts/simple_world/layout.html                       |  6 +++---
 layouts/user_layout/layout.html                        |  2 +-
 layouts/xedition/layout.html                           |  2 +-
 m.layouts/colorCode/layout.html                        |  2 +-
 m.layouts/default/layout.html                          |  2 +-
 m.layouts/simpleGray/layout.html                       |  2 +-
 modules/admin/tpl/layout.html                          |  2 +-
 modules/admin/tpl/popup_layout.html                    |  2 +-
 .../communication/m.skins/default/read_message.html    |  2 +-
 .../communication/m.skins/default/send_message.html    |  2 +-
 modules/communication/m.skins/rx_prn/new_message.html  |  2 +-
 modules/communication/m.skins/rx_prn/send_message.html |  2 +-
 modules/communication/skins/default/messages.html      |  2 +-
 modules/communication/skins/default/new_message.html   |  2 +-
 modules/communication/skins/default/send_message.html  |  2 +-
 .../communication/skins/simple_world/new_message.html  |  2 +-
 .../communication/skins/simple_world/send_message.html |  2 +-
 modules/editor/tpl/config_preview.html                 |  2 +-
 modules/editor/tpl/editor_frame.html                   |  2 +-
 modules/editor/tpl/popup.html                          |  2 +-
 modules/editor/tpl/preview.html                        |  2 +-
 modules/layout/tpl/layout_modify.html                  |  2 +-
 modules/widget/tpl/add_content_widget.html             |  2 +-
 27 files changed, 33 insertions(+), 33 deletions(-)

diff --git a/common/tpl/common_layout.html b/common/tpl/common_layout.html
index d82cf2c11..43bd43d4d 100644
--- a/common/tpl/common_layout.html
+++ b/common/tpl/common_layout.html
@@ -44,7 +44,7 @@
 <block loop="Context::getOpenGraphData() => $og_metadata">
 <meta property="{$og_metadata['property']}" content="{$og_metadata['content']}" />
 </block>
-{Context::getHtmlHeader()}
+{Context::getHtmlHeader()|noescape}
 
 <!-- COMMON JS VARIABLES -->
 <script>
@@ -63,12 +63,12 @@
 </head>
 
 <!-- BODY START -->
-<body{Context::getBodyClass()}>
+<body{Context::getBodyClass()|noescape}>
 
 <!-- PAGE CONTENT -->
-{Context::getBodyHeader()}
-{$content}
-{Context::getHtmlFooter()}
+{Context::getBodyHeader()|noescape}
+{$content|noescape}
+{Context::getHtmlFooter()|noescape}
 
 <!-- ETC -->
 <div id="rhymix_waiting" class="wfsr" cond="!$m">{$lang->msg_call_server}</div>
diff --git a/common/tpl/default_layout.html b/common/tpl/default_layout.html
index d9f1e44a0..77817d406 100644
--- a/common/tpl/default_layout.html
+++ b/common/tpl/default_layout.html
@@ -1 +1 @@
-{$content}
+{$content|noescape}
diff --git a/common/tpl/popup_layout.html b/common/tpl/popup_layout.html
index 0de748562..656dcfae7 100644
--- a/common/tpl/popup_layout.html
+++ b/common/tpl/popup_layout.html
@@ -1,7 +1,7 @@
 <load target="../../modules/admin/tpl/css/admin.bootstrap.css" />
 <load target="../../modules/admin/tpl/css/admin.css" />
 <div class="x popup">
-    {$content}
+    {$content|noescape}
 </div>
 <script>
 	jQuery(function() {
diff --git a/layouts/default/layout.html b/layouts/default/layout.html
index dc0d4817c..736d8e5b5 100644
--- a/layouts/default/layout.html
+++ b/layouts/default/layout.html
@@ -98,7 +98,7 @@
 		<!-- /LNB -->
 		<!-- CONTENT -->
 		<div class="content" id="content">
-			{$content}
+			{$content|noescape}
 		</div>
 		<!-- /CONTENT -->
 	</div>
diff --git a/layouts/simple_world/layout.html b/layouts/simple_world/layout.html
index 76d784406..23adb481c 100644
--- a/layouts/simple_world/layout.html
+++ b/layouts/simple_world/layout.html
@@ -138,9 +138,9 @@
 			</section>
 		</div>
 		<div class="layout_content" id="content">
-			{$layout_info->before_content}
-			{$content}
-			{$layout_info->after_content}
+			{$layout_info->before_content|noescape}
+			{$content|noescape}
+			{$layout_info->after_content|noescape}
 		</div>
 		<!--// CONTENT -->
 		<div class="layout_outright" cond="trim($layout_info->right_content)">
diff --git a/layouts/user_layout/layout.html b/layouts/user_layout/layout.html
index 0a2f46f6f..bd8e4afaf 100644
--- a/layouts/user_layout/layout.html
+++ b/layouts/user_layout/layout.html
@@ -40,7 +40,7 @@
 			</ul>
 		</div>
 		<hr />
-		<div class="content">.content{$content}</div>
+		<div class="content">.content{$content|noescape}</div>
 	</div>
 	<hr />
 	<div class="footer">.footer</div>
diff --git a/layouts/xedition/layout.html b/layouts/xedition/layout.html
index dcd02c047..3c38e3b17 100644
--- a/layouts/xedition/layout.html
+++ b/layouts/xedition/layout.html
@@ -371,7 +371,7 @@
 		<!-- /LNB -->
 		<!-- CONTENT -->
 			<div class="content" id="content">
-				{$content}
+				{$content|noescape}
 			</div>
 			<!--@if($layout_info->use_demo === 'Y')-->
 				<include target="./demo/welcome_main.html" />
diff --git a/m.layouts/colorCode/layout.html b/m.layouts/colorCode/layout.html
index 856348271..2355c477c 100644
--- a/m.layouts/colorCode/layout.html
+++ b/m.layouts/colorCode/layout.html
@@ -24,7 +24,7 @@
 </header>
 <hr class="head_hr" />
 <section id="ct" class="ct">
-{$content}
+{$content|noescape}
 </section>
 <footer class="lo_foot">
 	<ul class="link">
diff --git a/m.layouts/default/layout.html b/m.layouts/default/layout.html
index bed11053d..3af2ff8e7 100644
--- a/m.layouts/default/layout.html
+++ b/m.layouts/default/layout.html
@@ -19,7 +19,7 @@
 		<!--@end-->
 	<!--@end-->
 </div>
-{$content}
+{$content|noescape}
 <ul class="ft">
 	<!--@if($is_logged)-->
 	<li class="fl"><a href="{getUrl('act','dispMemberLogout')}">{$lang->cmd_logout}</a></li>
diff --git a/m.layouts/simpleGray/layout.html b/m.layouts/simpleGray/layout.html
index 6f7b68525..f2e93728d 100644
--- a/m.layouts/simpleGray/layout.html
+++ b/m.layouts/simpleGray/layout.html
@@ -5,7 +5,7 @@
 	<div class="fr"><a href="{getUrl('act','dispMenuMenu','menu_srl',$layout_info->menu->main_menu->menu_srl)}" class="bn">{$lang->menu}</a></div>
 	<!--@end-->
 </div>
-{$content}
+{$content|noescape}
 <ul class="eg ft">
 	<!--@if($is_logged)-->
 	<li class="fl"><a href="{getUrl('act','dispMemberLogout')}">{$lang->cmd_logout}</a></li>
diff --git a/modules/admin/tpl/layout.html b/modules/admin/tpl/layout.html
index f9435b70a..500b3e206 100644
--- a/modules/admin/tpl/layout.html
+++ b/modules/admin/tpl/layout.html
@@ -6,7 +6,7 @@
 			{$lang->get('admin.msg_blacklisted_reason.'.$blacklisted_plugin_name)}
 		</p>
 	</div>
-	{$content}
+	{$content|noescape}
 </div>
 <include target="./_footer.html" />
 
diff --git a/modules/admin/tpl/popup_layout.html b/modules/admin/tpl/popup_layout.html
index 9b72a5f56..8ea0c351f 100644
--- a/modules/admin/tpl/popup_layout.html
+++ b/modules/admin/tpl/popup_layout.html
@@ -1,7 +1,7 @@
 <include target="./_admin_common.html" />
 <div class="x">
 	<div class="content" id="content">
-		{$content}
+		{$content|noescape}
 	</div>
 </div>
 <script>opener.top.fullSetupWinLoaded();</script>
diff --git a/modules/communication/m.skins/default/read_message.html b/modules/communication/m.skins/default/read_message.html
index 9a7d68407..baa758265 100644
--- a/modules/communication/m.skins/default/read_message.html
+++ b/modules/communication/m.skins/default/read_message.html
@@ -4,7 +4,7 @@
 	<h2>{$message->title}</h2><span class="ex">{$message->nick_name} | {zdate($message->regdate, "Y.m.d H:i")}</span>
 </div>
 <div class="co">
-	<div class="xe_content">{$message->content}</div>
+	<div class="xe_content">{$message->content|noescape}</div>
 </div>
 <div class="bna">
 	<span class="fl"><a href="{getUrl('message_srl', '')}" class="bn white">{$lang->cmd_list}</a></span>
diff --git a/modules/communication/m.skins/default/send_message.html b/modules/communication/m.skins/default/send_message.html
index bf65f38ae..fadd0c342 100644
--- a/modules/communication/m.skins/default/send_message.html
+++ b/modules/communication/m.skins/default/send_message.html
@@ -35,7 +35,7 @@
 			<input type="text" name="title" id="message_title" value="{$source_message->title}"/>
 		</li>
 		<li class="xe_content">
-			{$source_message->content}
+			{$source_message->content|noescape}
 		</li>
 		<li>
 			<label for="message_content">{$lang->content}</label>
diff --git a/modules/communication/m.skins/rx_prn/new_message.html b/modules/communication/m.skins/rx_prn/new_message.html
index 74cde0577..24ea7870e 100644
--- a/modules/communication/m.skins/rx_prn/new_message.html
+++ b/modules/communication/m.skins/rx_prn/new_message.html
@@ -7,7 +7,7 @@
 			<a href="popup_menu_area" class="member_{$message->member_srl}">{$message->nick_name}</a> / {zdate($message->regdate, "Y-m-d H:i")}
 		</div>
 		<div class="xe_content">
-			{$message->content}
+			{$message->content|noescape}
 		</div>
 		<div class="prn-anchor-buttons">
 			<a cond="$message->message_type != 'S' && $message->member_srl != $logged_info->member_srl" href="#" onclick="doSendMessage('{$message->sender_srl}','{$message->message_srl}');">{$lang->cmd_reply_message}</a>
diff --git a/modules/communication/m.skins/rx_prn/send_message.html b/modules/communication/m.skins/rx_prn/send_message.html
index 378c35b22..0192b0ccc 100644
--- a/modules/communication/m.skins/rx_prn/send_message.html
+++ b/modules/communication/m.skins/rx_prn/send_message.html
@@ -30,7 +30,7 @@
 				<label for="message_send_mail"><input type="checkbox" value="Y" name="send_mail" id="message_send_mail" /> {$lang->cmd_send_mail}</label>
 				<div class="rx_prn-notice info">{$lang->msg_send_mail_privacy}</div>
 			</div>
-			{$editor}
+			{$editor|noescape}
 			<div class="control-group">
 				<input type="submit" value="{$lang->cmd_send_message}" />
 			</div>
diff --git a/modules/communication/skins/default/messages.html b/modules/communication/skins/default/messages.html
index 0e6d94f6a..773248ca5 100644
--- a/modules/communication/skins/default/messages.html
+++ b/modules/communication/skins/default/messages.html
@@ -29,7 +29,7 @@
 	</tr>
 	<tr>
 		<td class="xe_content">
-			{$message->content}
+			{$message->content|noescape}
 		</td>
 	</tr>
 </table>
diff --git a/modules/communication/skins/default/new_message.html b/modules/communication/skins/default/new_message.html
index 66b992d41..e5c75ac3a 100644
--- a/modules/communication/skins/default/new_message.html
+++ b/modules/communication/skins/default/new_message.html
@@ -14,7 +14,7 @@
 			<td>{htmlspecialchars($message->title, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}</td>
 		</tr>
 		<tr>
-			<td colspan="2" class="xe_content">{$message->content}</td>
+			<td colspan="2" class="xe_content">{$message->content|noescape}</td>
 		</tr>
 	</table>
 	<div class="btnArea">
diff --git a/modules/communication/skins/default/send_message.html b/modules/communication/skins/default/send_message.html
index 2a9ffe14b..cb6e066dc 100644
--- a/modules/communication/skins/default/send_message.html
+++ b/modules/communication/skins/default/send_message.html
@@ -35,7 +35,7 @@
 				<td><input type="checkbox" value="Y" name="send_mail" /> {$lang->cmd_send_mail} <span class="explanation">{$lang->msg_send_mail_privacy}</span></td>
 			</tr>
 		</table>
-		{$editor}
+		{$editor|noescape}
 		<div class="btnArea">
 			<input type="submit" value="{$lang->cmd_send_message}" class="btn btn-inverse" />
 		</div>
diff --git a/modules/communication/skins/simple_world/new_message.html b/modules/communication/skins/simple_world/new_message.html
index 43c29a070..d1a160fa0 100644
--- a/modules/communication/skins/simple_world/new_message.html
+++ b/modules/communication/skins/simple_world/new_message.html
@@ -6,7 +6,7 @@
 		<a href="popup_menu_area" class="member_{$message->member_srl}">{$message->nick_name}</a> / {zdate($message->regdate, "Y-m-d H:i")}
 	</div>
 	<div class="xe_content">
-		{$message->content}
+		{$message->content|noescape}
 	</div>
 	<div class="sw-footer sw-anchor-buttons">
 		<a cond="$message->message_type != 'S' && $message->member_srl != $logged_info->member_srl" href="#" onclick="doSendMessage('{$message->sender_srl}','{$message->message_srl}');">{$lang->cmd_reply_message}</a>
diff --git a/modules/communication/skins/simple_world/send_message.html b/modules/communication/skins/simple_world/send_message.html
index 79f1a8a22..90ba091c3 100644
--- a/modules/communication/skins/simple_world/send_message.html
+++ b/modules/communication/skins/simple_world/send_message.html
@@ -29,7 +29,7 @@
 				<br>{$lang->msg_allow_message_please}
 			</div>
 		</div>
-		{$editor}
+		{$editor|noescape}
 		<div class="control-group">
 			<input type="submit" value="{$lang->cmd_send_message}" />
 		</div>
diff --git a/modules/editor/tpl/config_preview.html b/modules/editor/tpl/config_preview.html
index 2fbcfd03c..b5588ae6a 100644
--- a/modules/editor/tpl/config_preview.html
+++ b/modules/editor/tpl/config_preview.html
@@ -1,5 +1,5 @@
 	<form onSubmit="return false">	
 		<input type="hidden" name="dummy_content" />
 		<input type="hidden" name="dummy_key" value="1" />
-		<p>{$editor}</p>
+		<p>{$editor|noescape}</p>
 	</form>
diff --git a/modules/editor/tpl/editor_frame.html b/modules/editor/tpl/editor_frame.html
index 3c96e7ca2..4575263e5 100644
--- a/modules/editor/tpl/editor_frame.html
+++ b/modules/editor/tpl/editor_frame.html
@@ -14,5 +14,5 @@
 <form>
 	<input type="hidden" name="primary_key" id="primary_key" value="" />
 	<input type="hidden" name="content" id="content" value="" />
-	{$editor}
+	{$editor|noescape}
 </form>
diff --git a/modules/editor/tpl/popup.html b/modules/editor/tpl/popup.html
index e1e981475..aa8c8f175 100644
--- a/modules/editor/tpl/popup.html
+++ b/modules/editor/tpl/popup.html
@@ -1,3 +1,3 @@
 <div>
-{$popup_content}
+{$popup_content|noescape}
 </div>
diff --git a/modules/editor/tpl/preview.html b/modules/editor/tpl/preview.html
index 151b89f55..2d996e430 100644
--- a/modules/editor/tpl/preview.html
+++ b/modules/editor/tpl/preview.html
@@ -1,4 +1,4 @@
 <script>
     top.xAddEventListener(window, 'load', function() { top.showPreviewContent({$editor_sequence}); } );
 </script>
-{$content}
+{$content|noescape}
diff --git a/modules/layout/tpl/layout_modify.html b/modules/layout/tpl/layout_modify.html
index 8fdcc28d2..dc1e22014 100644
--- a/modules/layout/tpl/layout_modify.html
+++ b/modules/layout/tpl/layout_modify.html
@@ -1,3 +1,3 @@
 <load target="js/layout_modify.js" />
 <include target="header.html" />
-{$content}
+{$content|noescape}
diff --git a/modules/widget/tpl/add_content_widget.html b/modules/widget/tpl/add_content_widget.html
index 9d1a4dc3a..ac8093ecd 100644
--- a/modules/widget/tpl/add_content_widget.html
+++ b/modules/widget/tpl/add_content_widget.html
@@ -15,7 +15,7 @@
 	</div>
 	<div class="x_modal-body">
 		<div class="pageAddContent"></div>
-		<div class="editor">{$editor}</div>
+		<div class="editor">{$editor|noescape}</div>
 		<script>xAddEventListener(window, 'load', doSyncPageContent);</script>
 	</div>
 	<div class="x_modal-footer">