#566 escape untrusted strings

bedita-app/views/elements/form_tags.tpl

@@ -40,7 +40,7 @@ $(document).ready(function(){
 	<textarea name="tags" class="autogrowarea" style="display:block; margin-bottom:10px; width:470px" id="tagsArea">
 	{if !empty($object.Tag)}
 		{foreach from=$object.Tag item="tag" name="ft"}
-			{$tag.label}{if !$smarty.foreach.ft.last}, {/if}
+			{$tag.label|escape}{if !$smarty.foreach.ft.last}, {/if}
 		{/foreach}
 	{/if}
 	</textarea>

bedita-app/views/elements/list_objects.tpl

@@ -85,10 +85,10 @@ var sel_copy_to_msg = "{t}Select a destination to 'copy to'{/t}";
 
 			</td>
 			<td style="min-width:300px">
-				<a href="{$html->url('view/')}{$objects[i].id}">{$objects[i].title|truncate:64|default:"<i>[no title]</i>"}</a>
+				<a href="{$html->url('view/')}{$objects[i].id}">{$objects[i].title|truncate:64|default:"<i>[no title]</i>"|escape}</a>
 				<div class="description" id="desc_{$objects[i].id}">
 					<label>nickname:</label> {$objects[i].nickname}<br />
-					{$objects[i].description}
+					{$objects[i].description|escape}
 				</div>
 			</td>
 			<td class="checklist detail" style="text-align:left;">
@@ -105,9 +105,9 @@ var sel_copy_to_msg = "{t}Select a destination to 'copy to'{/t}";
 					<td class="custom-property-cell">
 					{if !empty($objects[i].customProperties[$p.name]) && $p.object_type_id == $objects[i].object_type_id}
 						{if is_array($objects[i].customProperties[$p.name])}
-							{$objects[i].customProperties[$p.name]|@implode:", "|truncate:80:"..."}
+							{$objects[i].customProperties[$p.name]|@implode:", "|truncate:80:"..."|escape}
 						{else}
-							{$objects[i].customProperties[$p.name]|truncate:80:"..."}
+							{$objects[i].customProperties[$p.name]|truncate:80:"..."|escape}
 						{/if}
 					{else}
 						-