Apply autoescape to admin module templates

2026-01-04 01:01:41 +09:00 · 2018-10-10 15:24:10 +09:00 · 2018-10-10 15:24:10 +09:00 · d9178e91d6
commit d9178e91d6
parent 24df74d618
20 changed files with 52 additions and 3 deletions
--- a/modules/admin/tpl/_admin_common.html
+++ b/modules/admin/tpl/_admin_common.html
@ -1,3 +1,5 @@
+<config autoescape="on" />
+
 <load target="css/admin.bootstrap.css" />
 <load target="css/admin.iefix.css" />
 <load target="./../../../common/css/xeicon/xeicon.css" />
--- a/modules/admin/tpl/_dashboard_counter.html
+++ b/modules/admin/tpl/_dashboard_counter.html
@ -1,3 +1,4 @@
+<config autoescape="on" />
 <load target="js/dashboard_counter.js" />

 <div>
--- a/modules/admin/tpl/_dashboard_default.html
+++ b/modules/admin/tpl/_dashboard_default.html
@ -1,3 +1,5 @@
+<config autoescape="on" />
+
 <div>
 	<section class="member">
 		<h2>{$lang->member}</h2>
--- a/modules/admin/tpl/_header.html
+++ b/modules/admin/tpl/_header.html
@ -1,3 +1,5 @@
+<config autoescape="on" />
+
 <include target="./_admin_common.html" />
 {Context::addMetaTag("viewport", "width=device-width, user-scalable=yes")}
 <script>
@ -25,7 +27,7 @@
 			<a class="default_header" href="{getUrl('','module','admin')}"><i class="xi xi-cog"></i></a>
 			<a class="mobile_menu_open" href="#gnbNav"><i class="xi xi-bars"></i></a>
 		</h1>
-		<p class="site"><a href="{$xe_default_url}">{$site_module_info->settings->title ?: $xe_default_url}</a></p>
+		<p class="site"><a href="{$xe_default_url}">{$site_module_info->settings->title ?: $xe_default_url|noescape}</a></p>
 		<!--@end-->
 		<div class="account">
 			<ul>
--- a/modules/admin/tpl/admin_setup.html
+++ b/modules/admin/tpl/admin_setup.html
@ -1,3 +1,5 @@
+<config autoescape="on" />
+
 <load target="./js/menu_setup.js" usecdn="true" />
 <div class="x_page-header">
 	<h1>{$lang->admin_setup}</h1>
--- a/modules/admin/tpl/config_advanced.html
+++ b/modules/admin/tpl/config_advanced.html
@ -1,4 +1,7 @@
+<config autoescape="on" />
+
 <include target="config_header.html" />
+
 <div cond="$XE_VALIDATOR_MESSAGE && $XE_VALIDATOR_ID == 'modules/admin/tpl/config_advanced/1'" class="message {$XE_VALIDATOR_MESSAGE_TYPE}">
 	<p>{$XE_VALIDATOR_MESSAGE}</p>
 </div>
--- a/modules/admin/tpl/config_debug.html
+++ b/modules/admin/tpl/config_debug.html
@ -1,4 +1,7 @@
+<config autoescape="on" />
+
 <include target="config_header.html" />
+
 <div cond="$XE_VALIDATOR_MESSAGE && $XE_VALIDATOR_ID == 'modules/admin/tpl/config_debug/1'" class="message {$XE_VALIDATOR_MESSAGE_TYPE}">
 	<p>{$XE_VALIDATOR_MESSAGE}</p>
 </div>
--- a/modules/admin/tpl/config_domains.html
+++ b/modules/admin/tpl/config_domains.html
@ -1,4 +1,7 @@
+<config autoescape="on" />
+
 <include target="config_header.html" />
+
 <div cond="$XE_VALIDATOR_MESSAGE && $XE_VALIDATOR_ID == 'modules/admin/tpl/config_domains/1'" class="message {$XE_VALIDATOR_MESSAGE_TYPE}">
 	<p>{$XE_VALIDATOR_MESSAGE}</p>
 </div>
@ -24,7 +27,7 @@
 		<tbody>
 			<tr loop="$domain_list->data => $domain">
 				<td class="nowr">
-					{$domain->settings->title}
+					{$domain->settings->title|noescape}
 					<i cond="$domain->is_default_domain === 'Y'" class="x_icon-home" title="{$lang->cmd_is_default_domain}">{$lang->cmd_is_default_domain}</i>
 				</td>
 				<td class="nowr">{$domain->domain}</td>
--- a/modules/admin/tpl/config_domains_edit.html
+++ b/modules/admin/tpl/config_domains_edit.html
@ -1,4 +1,7 @@
+<config autoescape="on" />
+
 <include target="config_header.html" />
+
 <div cond="$XE_VALIDATOR_MESSAGE && $XE_VALIDATOR_ID == 'modules/admin/tpl/config_domains_edit/1'" class="message {$XE_VALIDATOR_MESSAGE_TYPE}">
 	<p>{$XE_VALIDATOR_MESSAGE}</p>
 </div>
@ -8,7 +11,6 @@
 		<input type="hidden" name="act" value="procAdminInsertDomain" />
 		<input type="hidden" name="xe_validator_id" value="modules/admin/tpl/config_domains_edit/1" />
 		<input type="hidden" name="domain_srl" value="{$domain_info ? $domain_info->domain_srl : ''}" />
-		
 		<div class="x_control-group">
 			<label class="x_control-label">{$lang->site_title}</label>
 			<div class="x_controls">
--- a/modules/admin/tpl/config_ftp.html
+++ b/modules/admin/tpl/config_ftp.html
@ -1,5 +1,8 @@
+<config autoescape="on" />
+
 <load target="./js/config.js" />
 <load target="../../session/tpl/js/session.js" />
+
 <div class="x_page-header">
 	<h1>{$lang->menu_gnb_sub['adminConfigurationFtp']}</h1>
 </div>
--- a/modules/admin/tpl/config_header.html
+++ b/modules/admin/tpl/config_header.html
@ -1,3 +1,5 @@
+<config autoescape="on" />
+
 <load target="./js/config.js" />
 <load target="../../session/tpl/js/session.js" />
 <div class="x_page-header">
--- a/modules/admin/tpl/config_notification.html
+++ b/modules/admin/tpl/config_notification.html
@ -1,5 +1,8 @@
+<config autoescape="on" />
+
 <include target="config_header.html" />
 <load target="js/notification_config.js" />
+
 <div cond="$XE_VALIDATOR_MESSAGE && $XE_VALIDATOR_ID == 'modules/admin/tpl/config_notification/1'" class="message {$XE_VALIDATOR_MESSAGE_TYPE}">
 	<p>{$XE_VALIDATOR_MESSAGE}</p>
 </div>
--- a/modules/admin/tpl/config_security.html
+++ b/modules/admin/tpl/config_security.html
@ -1,4 +1,7 @@
+<config autoescape="on" />
+
 <include target="config_header.html" />
+
 <div cond="$XE_VALIDATOR_MESSAGE && $XE_VALIDATOR_ID == 'modules/admin/tpl/config_security/1'" class="message {$XE_VALIDATOR_MESSAGE_TYPE}">
 	<p>{$XE_VALIDATOR_MESSAGE}</p>
 </div>
--- a/modules/admin/tpl/config_seo.html
+++ b/modules/admin/tpl/config_seo.html
@ -1,4 +1,7 @@
+<config autoescape="on" />
+
 <include target="config_header.html" />
+
 <div cond="$XE_VALIDATOR_MESSAGE && $XE_VALIDATOR_ID == 'modules/admin/tpl/config_seo/1'" class="message {$XE_VALIDATOR_MESSAGE_TYPE}">
 	<p>{$XE_VALIDATOR_MESSAGE}</p>
 </div>
--- a/modules/admin/tpl/config_sitelock.html
+++ b/modules/admin/tpl/config_sitelock.html
@ -1,4 +1,7 @@
+<config autoescape="on" />
+
 <include target="config_header.html" />
+
 <div cond="$XE_VALIDATOR_MESSAGE && $XE_VALIDATOR_ID == 'modules/admin/tpl/config_sitelock/1'" class="message {$XE_VALIDATOR_MESSAGE_TYPE}">
 	<p>{$XE_VALIDATOR_MESSAGE}</p>
 </div>
--- a/modules/admin/tpl/favicon_upload.html
+++ b/modules/admin/tpl/favicon_upload.html
@ -1,3 +1,5 @@
+<config autoescape="on" />
+
 <script>
 <!--@if($msg)-->
 	parent.alertUploadMessage('{$msg}');
--- a/modules/admin/tpl/index.html
+++ b/modules/admin/tpl/index.html
@ -1,4 +1,7 @@
+<config autoescape="on" />
+
 <include target="./_header.html" />
+
 <load target="./js/excanvas.min.js" targetie="lt IE 9" />
 <load target="./js/jquery.jqplot.min.js" />
 <load target="./js/jqplot.barRenderer.min.js" />
--- a/modules/admin/tpl/layout.html
+++ b/modules/admin/tpl/layout.html
@ -1,3 +1,5 @@
+<config autoescape="on" />
+
 <include target="./_header.html" />
 <div class="content" id="content">
 	<div cond="Context::isBlacklistedPlugin($blacklisted_plugin_name = strtolower(preg_replace('/^disp([A-Z][a-z0-9_]+)[A-Z].+$/', '$1', $act)))" class="message error" style="margin-top:15px">
--- a/modules/admin/tpl/popup_layout.html
+++ b/modules/admin/tpl/popup_layout.html
@ -1,3 +1,5 @@
+<config autoescape="on" />
+
 <include target="./_admin_common.html" />
 <div class="x">
 	<div class="content" id="content">
--- a/modules/admin/tpl/server_env.html
+++ b/modules/admin/tpl/server_env.html
@ -1,4 +1,7 @@
+<config autoescape="on" />
+
 <load target="./js/menu_setup.js" usecdn="true" />
+
 <div class="x_page-header">
 	<h1>{$lang->server_env}</h1>
 </div>