From 8159cc99a64cfe563dccea6821348764fc40fb85 Mon Sep 17 00:00:00 2001
From: Frédéric Guillot <contact@fredericguillot.com>
Date: Mon, 24 Feb 2014 18:29:09 -0500
Subject: Improve HTML escaping

---
 lib/translator.php           | 6 ++++--
 templates/board_remove.php   | 2 +-
 templates/config_index.php   | 9 ++++++---
 templates/project_remove.php | 2 +-
 templates/user_index.php     | 2 +-
 templates/user_remove.php    | 2 +-
 6 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/lib/translator.php b/lib/translator.php
index d9d9a84a..75d40a23 100644
--- a/lib/translator.php
+++ b/lib/translator.php
@@ -11,6 +11,10 @@ namespace Translator {
         \array_shift($args);
         \array_unshift($args, get($identifier, $identifier));
 
+        foreach ($args as &$arg) {
+            $arg = htmlspecialchars($arg, ENT_QUOTES, 'UTF-8', false);
+        }
+
         return \call_user_func_array(
             'sprintf',
             $args
@@ -77,7 +81,6 @@ namespace Translator {
             foreach ($dir as $fileinfo) {
 
                 if (strpos($fileinfo->getFilename(), '.php') !== false) {
-
                     $locales = array_merge($locales, include $fileinfo->getPathname());
                 }
             }
@@ -91,7 +94,6 @@ namespace Translator {
         static $values = array();
 
         if ($locales !== null) {
-
             $values = $locales;
         }
 
diff --git a/templates/board_remove.php b/templates/board_remove.php
index c95c8a28..b406eb38 100644
--- a/templates/board_remove.php
+++ b/templates/board_remove.php
@@ -5,7 +5,7 @@
 
     <div class="confirm">
         <p class="alert alert-info">
-            <?= t('Do you really want to remove this column: "%s"?', Helper\escape($column['title'])) ?>
+            <?= t('Do you really want to remove this column: "%s"?', $column['title']) ?>
             <?= t('This action will REMOVE ALL TASKS associated to this column!') ?>
         </p>
 
diff --git a/templates/config_index.php b/templates/config_index.php
index 5012538a..d94ee8b9 100644
--- a/templates/config_index.php
+++ b/templates/config_index.php
@@ -27,7 +27,10 @@
                     <?= t('Webhooks token:') ?>
                     <strong><?= Helper\escape($values['webhooks_token']) ?></strong>
                 </li>
-                <li><?= t('Database size:') ?> <strong><?= Helper\format_bytes($db_size) ?></strong></li>
+                <li>
+                    <?= t('Database size:') ?>
+                    <strong><?= Helper\format_bytes($db_size) ?></strong>
+                </li>
                 <li>
                     <a href="?controller=config&amp;action=downloadDb"><?= t('Download the database') ?></a>
                     <?= t('(Gzip compressed Sqlite file)') ?>
@@ -38,7 +41,7 @@
                 </li>
                 <li>
                     <?= t('Official website:') ?>
-                    <a href="http://kanboard.net/" target="_blank">http://kanboard.net/</a>
+                    <a href="http://kanboard.net/" target="_blank" rel="noreferer">http://kanboard.net/</a>
                 </li>
                 <li>
                     <?= t('Application version:') ?>
@@ -55,7 +58,7 @@
         <ul>
             <li>
                 <strong><?= t('My default project:') ?> </strong>
-                <?= (isset($user['default_project_id']) && isset($projects[$user['default_project_id']])) ? $projects[$user['default_project_id']] : t('None') ?>,
+                <?= (isset($user['default_project_id']) && isset($projects[$user['default_project_id']])) ? Helper\escape($projects[$user['default_project_id']]) : t('None') ?>,
                 <a href="?controller=user&amp;action=edit&amp;user_id=<?= $user['id'] ?>"><?= t('edit') ?></a>
             </li>
         </ul>
diff --git a/templates/project_remove.php b/templates/project_remove.php
index f63c4031..e9f213b5 100644
--- a/templates/project_remove.php
+++ b/templates/project_remove.php
@@ -5,7 +5,7 @@
 
     <div class="confirm">
         <p class="alert alert-info">
-            <?= t('Do you really want to remove this project: "%s"?', Helper\escape($project['name'])) ?>
+            <?= t('Do you really want to remove this project: "%s"?', $project['name']) ?>
         </p>
 
         <div class="form-actions">
diff --git a/templates/user_index.php b/templates/user_index.php
index 4b539599..ccc955fc 100644
--- a/templates/user_index.php
+++ b/templates/user_index.php
@@ -27,7 +27,7 @@
                     <?= $user['is_admin'] ? t('Yes') : t('No') ?>
                 </td>
                 <td>
-                    <?= (isset($user['default_project_id']) && isset($projects[$user['default_project_id']])) ? $projects[$user['default_project_id']] : t('None'); ?>
+                    <?= (isset($user['default_project_id']) && isset($projects[$user['default_project_id']])) ? Helper\escape($projects[$user['default_project_id']]) : t('None'); ?>
                 </td>
                 <td>
                     <?php if (Helper\is_admin() || Helper\is_current_user($user['id'])): ?>
diff --git a/templates/user_remove.php b/templates/user_remove.php
index e1dc6f7b..a4db2e4a 100644
--- a/templates/user_remove.php
+++ b/templates/user_remove.php
@@ -4,7 +4,7 @@
     </div>
 
     <div class="confirm">
-        <p class="alert alert-info"><?= t('Do you really want to remove this user: "%s"?', Helper\escape($user['username'])) ?></p>
+        <p class="alert alert-info"><?= t('Do you really want to remove this user: "%s"?', $user['username']) ?></p>
 
         <div class="form-actions">
             <a href="?controller=user&amp;action=remove&amp;user_id=<?= $user['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a>
-- 
cgit v1.2.3