Escaping user input

pkp · Mar 10, 2019 · d201482 · d201482
1 parent e5e0810
commit d201482
Show file tree

Hide file tree

Showing 9 changed files with 11 additions and 11 deletions.
diff --git a/templates/frontend/objects/article_details.tpl b/templates/frontend/objects/article_details.tpl
@@ -338,13 +338,13 @@
 			{if $licenseUrl}
 				{if $ccLicenseBadge}
 					{if $copyrightHolder}
-						<p>{translate key="submission.copyrightStatement" copyrightHolder=$copyrightHolder copyrightYear=$copyrightYear}</p>
+						<p>{translate key="submission.copyrightStatement" copyrightHolder=$copyrightHolder|escape copyrightYear=$copyrightYear|escape}</p>
 					{/if}
 					{$ccLicenseBadge}
 				{else}
 					<a href="{$licenseUrl|escape}" class="copyright">
 						{if $copyrightHolder}
-							{translate key="submission.copyrightStatement" copyrightHolder=$copyrightHolder copyrightYear=$copyrightYear}
+							{translate key="submission.copyrightStatement" copyrightHolder=$copyrightHolder|escape copyrightYear=$copyrightYear|escape}
 						{else}
 							{translate key="submission.license"}
 						{/if}

diff --git a/templates/frontend/objects/issue_toc.tpl b/templates/frontend/objects/issue_toc.tpl
@@ -26,7 +26,7 @@
 		{strip}
 		<h{if $requestedOp === "issue"}1{else}2{/if} class="issue__title">
 			{if $issue->getShowVolume() || $issue->getShowNumber()}
-				{if $issue->getShowVolume()|escape}
+				{if $issue->getShowVolume()}
 					<span class="issue__volume">{translate key="issue.volume"} {$issue->getVolume()|escape}{if $issue->getShowNumber()}, {/if}</span>
 				{/if}
 				{if $issue->getShowNumber()}

diff --git a/templates/frontend/pages/announcement.tpl b/templates/frontend/pages/announcement.tpl
@@ -9,7 +9,7 @@
  *
  * @uses $announcement Announcement The announcement to display
  *}
-{include file="frontend/components/header.tpl" pageTitleTranslated=$announcement->getLocalizedTitle()}
+{include file="frontend/components/header.tpl" pageTitleTranslated=$announcement->getLocalizedTitle()|escape}
 
 <main class="container main__content" id="immersion_content_main">
 	<div class="row">

diff --git a/templates/frontend/pages/issue.tpl b/templates/frontend/pages/issue.tpl
@@ -14,7 +14,7 @@
  * @uses $issueGalleys array Galleys for the entire issue
  * @uses $primaryGenreIds array List of file genre IDs for primary types
  *}
-{include file="frontend/components/header.tpl" pageTitleTranslated=$issueIdentification}
+{include file="frontend/components/header.tpl" pageTitleTranslated=$issueIdentification|escape}
 
 <main id="immersion_content_main">
 	<section class="issue{if !$issue} issue__empty{/if}">

diff --git a/templates/frontend/pages/navigationMenuItemViewContent.tpl b/templates/frontend/pages/navigationMenuItemViewContent.tpl
@@ -7,7 +7,7 @@
  *
  * Display NavigationMenuItem content
  *}
-{include file="frontend/components/header.tpl" pageTitleTranslated=$title}
+{include file="frontend/components/header.tpl" pageTitleTranslated=$title|escape}
 
 <main class="container main__content" id="immersion_content_main">
 	<div class="row">

diff --git a/templates/frontend/pages/privacy.tpl b/templates/frontend/pages/privacy.tpl
@@ -20,7 +20,7 @@
 				</h1>
 			</header>
 			<div class="content-body">
-				{$currentContext->getLocalizedSetting('privacyStatement')}
+				{$privacyStatement}
 			</div>
 		</div>
 	</div>

diff --git a/templates/plugins/generic/htmlArticleGalley/display.tpl b/templates/plugins/generic/htmlArticleGalley/display.tpl
@@ -9,7 +9,7 @@
  *}
 <!DOCTYPE html>
 <html lang="{$currentLocale|replace:"_":"-"}" xml:lang="{$currentLocale|replace:"_":"-"}">
-{translate|assign:"pageTitleTranslated" key="article.pageTitle" title=$article->getLocalizedTitle()}
+{translate|assign:"pageTitleTranslated" key="article.pageTitle" title=$article->getLocalizedTitle()|escape}
 {include file="frontend/components/headerHead.tpl"}
 <body class="pkp_page_{$requestedPage|escape} pkp_op_{$requestedOp|escape}">
 

diff --git a/templates/plugins/generic/pdfJsViewer/templates/display.tpl b/templates/plugins/generic/pdfJsViewer/templates/display.tpl
@@ -22,7 +22,7 @@
 <head>
 	<meta http-equiv="Content-Type" content="text/html; charset={$defaultCharset|escape}" />
 	<meta name="viewport" content="width=device-width, initial-scale=1.0">
-	<title>{translate key="article.pageTitle" title=$title}</title>
+	<title>{translate key="article.pageTitle" title=$title|escape}</title>
 
 	{load_header context="frontend" headers=$headers}
 	{load_stylesheet context="frontend" stylesheets=$stylesheets}
@@ -43,7 +43,7 @@
 						{translate key="article.return"}
 					{/if}
 				</span>
-			{$title}
+			{$title|escape}
 		</a>
 	</div>
 	<div class="pdf-download-button">

diff --git a/templates/plugins/generic/staticPages/templates/content.tpl b/templates/plugins/generic/staticPages/templates/content.tpl
@@ -7,7 +7,7 @@
  *
  * Display Static Page content
  *}
-{include file="frontend/components/header.tpl" pageTitleTranslated=$title}
+{include file="frontend/components/header.tpl" pageTitleTranslated=$title|escape}
 
 <main class="container main__content">
 	<div class="row">