#7378 Fix reflected XSS issues

pkp · Oct 13, 2021 · b6b32e7 · b6b32e7
1 parent 11bfc64
commit b6b32e7
Show file tree

Hide file tree

Showing 13 changed files with 16 additions and 16 deletions.
diff --git a/templates/common/userDetails.tpl b/templates/common/userDetails.tpl
@@ -127,7 +127,7 @@
 					{else}
 						{assign var="checked" value=false}
 					{/if}
-					{fbvElement type="checkbox" name="userLocales[]" id="userLocales-$localeKey" value=$localeKey checked=$checked label=$localeName translate=false}
+					{fbvElement type="checkbox" name="userLocales[]" id="userLocales-$localeKey" value=$localeKey checked=$checked label=$localeName|escape translate=false}
 				{/foreach}
 			{/fbvFormSection}
 		{/if}

diff --git a/templates/controllers/grid/languages/installLanguageForm.tpl b/templates/controllers/grid/languages/installLanguageForm.tpl
@@ -22,7 +22,7 @@
 	{fbvFormArea id="availableLocalesFormArea" title="admin.languages.availableLocales"}
 		{fbvFormSection list="true" description="admin.languages.installNewLocalesInstructions"}
 			{foreach name=locales from=$notInstalledLocales item=locale}
-				{fbvElement type="checkbox" id="locale-$locale" name="localesToInstall[$locale]" value=$locale label=$allLocales.$locale translate=false}
+				{fbvElement type="checkbox" id="locale-$locale" name="localesToInstall[$locale]" value=$locale label=$allLocales.$locale|escape translate=false}
 			{foreachelse}
 				<p>{translate key="admin.languages.noLocalesAvailable"}</p>
 			{/foreach}

diff --git a/templates/controllers/grid/queries/form/queryForm.tpl b/templates/controllers/grid/queries/form/queryForm.tpl
@@ -31,7 +31,7 @@
 
 		{fbvFormSection list=true title="editor.submission.stageParticipants"}
 			{foreach from=$allParticipants item="participant" key="id"}
-				{fbvElement type="checkbox" id="users[]" value=$id checked=in_array($id, $assignedParticipants) label=$participant translate=false}
+				{fbvElement type="checkbox" id="users[]" value=$id checked=in_array($id, $assignedParticipants) label=$participant|escape translate=false}
 			{/foreach}
 		{/fbvFormSection}
 

diff --git a/templates/controllers/grid/settings/category/form/categoryForm.tpl b/templates/controllers/grid/settings/category/form/categoryForm.tpl
@@ -77,7 +77,7 @@
 		{if count($availableSubeditors)}
 			{fbvFormSection list=true title="submissionGroup.assignedSubEditors"}
 				{foreach from=$availableSubeditors item="subEditor" key="id"}
-					{fbvElement type="checkbox" id="subEditors[]" value=$id checked=in_array($id, $assignedToCategory) label=$subEditor translate=false}
+					{fbvElement type="checkbox" id="subEditors[]" value=$id checked=in_array($id, $assignedToCategory) label=$subEditor|escape translate=false}
 				{/foreach}
 			{/fbvFormSection}
 		{/if}

diff --git a/templates/controllers/grid/settings/user/form/userDetailsForm.tpl b/templates/controllers/grid/settings/user/form/userDetailsForm.tpl
@@ -57,7 +57,7 @@
 			{fbvFormSection}
 				{fbvFormSection list=true title="grid.user.userRoles"}
 					{foreach from=$allUserGroups item="userGroup" key="id"}
-						{fbvElement type="checkbox" id="userGroupIds[]" value=$id checked=in_array($id, $assignedUserGroups) label=$userGroup translate=false}
+						{fbvElement type="checkbox" id="userGroupIds[]" value=$id checked=in_array($id, $assignedUserGroups) label=$userGroup|escape translate=false}
 					{/foreach}
 				{/fbvFormSection}
 			{/fbvFormSection}

diff --git a/templates/controllers/grid/settings/user/form/userRoleForm.tpl b/templates/controllers/grid/settings/user/form/userRoleForm.tpl
@@ -18,14 +18,14 @@
 
 	{include file="controllers/notification/inPlaceNotification.tpl" notificationId="userRoleFormNotification"}
 
-	<h3>{translate key="grid.user.step2" userFullName=$userFullName}</h3>
+	<h3>{translate key="grid.user.step2" userFullName=$userFullName|escape}</h3>
 
 		<input type="hidden" id="userId" name="userId" value="{$userId|escape}" />
 
 		{fbvFormSection}
 			{fbvFormSection list=true title="grid.user.userRoles"}
 				{foreach from=$allUserGroups item="userGroup" key="id"}
-					{fbvElement type="checkbox" id="userGroupIds[]" value=$id checked=in_array($id, $assignedUserGroups) label=$userGroup translate=false}
+					{fbvElement type="checkbox" id="userGroupIds[]" value=$id checked=in_array($id, $assignedUserGroups) label=$userGroup|escape translate=false}
 				{/foreach}
 			{/fbvFormSection}
 		{/fbvFormSection}

diff --git a/templates/controllers/grid/users/stageParticipant/form/notify.tpl b/templates/controllers/grid/users/stageParticipant/form/notify.tpl
@@ -26,7 +26,7 @@
 			<input type="hidden" name="userId" value="{$userId|escape}"/>
 
 			{fbvFormSection title="stageParticipants.notify.startDiscussion"}
-				<p>{translate key="stageParticipants.notify.startDiscussion.description" userFullName=$userFullName}</p>
+				<p>{translate key="stageParticipants.notify.startDiscussion.description" userFullName=$userFullName|escape}</p>
 			{/fbvFormSection}
 
 			{fbvFormSection title="stageParticipants.notify.chooseMessage" for="template" size=$fbvStyles.size.medium}

diff --git a/templates/controllers/modals/editorDecision/form/bccReviewers.tpl b/templates/controllers/modals/editorDecision/form/bccReviewers.tpl
@@ -14,7 +14,7 @@
 		<span class="description">{translate key="submission.comments.sendCopyToReviewers"}</span>
 		<ul class="checkbox_and_radiobutton">
 			{foreach from=$reviewers item="name" key="id"}
-				{fbvElement type="checkbox" id="bccReviewers[]" value=$id checked=in_array($id, $selected) label=$name translate=false}
+				{fbvElement type="checkbox" id="bccReviewers[]" value=$id checked=in_array($id, $selected) label=$name|escape translate=false}
 			{/foreach}
 		</ul>
 	{/fbvFormSection}

diff --git a/templates/controllers/modals/editorDecision/form/promoteForm.tpl b/templates/controllers/modals/editorDecision/form/promoteForm.tpl
@@ -32,7 +32,7 @@
 			<p>{translate key=$decisionData.help}</p>
 		{/if}
 
-		{capture assign="sendEmailLabel"}{translate key="editor.submissionReview.sendEmail" authorName=$authorName}{/capture}
+		{capture assign="sendEmailLabel"}{translate key="editor.submissionReview.sendEmail" authorName=$authorName|escape}{/capture}
 		{if $skipEmail}
 			{assign var="skipEmailSkip" value=true}
 		{else}

diff --git a/templates/controllers/modals/editorDecision/form/sendReviewsForm.tpl b/templates/controllers/modals/editorDecision/form/sendReviewsForm.tpl
@@ -52,7 +52,7 @@
 		{/fbvFormSection}
 	{/if}
 
-	{capture assign="sendEmailLabel"}{translate key="editor.submissionReview.sendEmail" authorName=$authorName}{/capture}
+	{capture assign="sendEmailLabel"}{translate key="editor.submissionReview.sendEmail" authorName=$authorName|escape}{/capture}
 	{if $skipEmail}
 		{assign var="skipEmailSkip" value=true}
 	{else}

diff --git a/templates/submission/form/categories.tpl b/templates/submission/form/categories.tpl
@@ -19,7 +19,7 @@
 	{else}
 		{fbvFormSection list=true title="grid.category.categories"}
 			{foreach from=$categories item="category" key="id"}
-				{fbvElement type="checkbox" id="categories[]" value=$id checked=in_array($id, $assignedCategories) label=$category translate=false}
+				{fbvElement type="checkbox" id="categories[]" value=$id checked=in_array($id, $assignedCategories) label=$category|escape translate=false}
 			{/foreach}
 		{/fbvFormSection}
 	{/if}

diff --git a/templates/user/contactForm.tpl b/templates/user/contactForm.tpl
@@ -41,7 +41,7 @@
 				{else}
 					{assign var="checked" value=false}
 				{/if}
-				{fbvElement type="checkbox" name="userLocales[]" id="userLocales-$localeKey" value=$localeKey checked=$checked label=$localeName translate=false}
+				{fbvElement type="checkbox" name="userLocales[]" id="userLocales-$localeKey" value=$localeKey checked=$checked label=$localeName|escape translate=false}
 			{/foreach}
 		{/fbvFormSection}
 	{/if}

diff --git a/templates/user/userGroupSelfRegistration.tpl b/templates/user/userGroupSelfRegistration.tpl
@@ -18,7 +18,7 @@
 		{assign var="checked" value=false}
 	{/if}
 	{if $userGroup->getPermitSelfRegistration()}
-		{fbvElement type="checkbox" id="readerGroup-$userGroupId" name="readerGroup[$userGroupId]" checked=$checked label=$userGroup->getLocalizedName() translate=false}
+		{fbvElement type="checkbox" id="readerGroup-$userGroupId" name="readerGroup[$userGroupId]" checked=$checked label=$userGroup->getLocalizedName()|escape translate=false}
 	{/if}
 {/foreach}
 {foreach from=$authorUserGroups[$contextId] item=userGroup}
@@ -29,7 +29,7 @@
 		{assign var="checked" value=false}
 	{/if}
 	{if $userGroup->getPermitSelfRegistration()}
-		{fbvElement type="checkbox" id="authorGroup-$userGroupId" name="authorGroup[$userGroupId]" checked=$checked label=$userGroup->getLocalizedName() translate=false}
+		{fbvElement type="checkbox" id="authorGroup-$userGroupId" name="authorGroup[$userGroupId]" checked=$checked label=$userGroup->getLocalizedName()|escape translate=false}
 	{/if}
 {/foreach}
 {foreach from=$reviewerUserGroups[$contextId] item=userGroup}
@@ -40,6 +40,6 @@
 		{assign var="checked" value=false}
 	{/if}
 	{if $userGroup->getPermitSelfRegistration()}
-		{fbvElement type="checkbox" id="reviewerGroup-$userGroupId" name="reviewerGroup[$userGroupId]" checked=$checked label=$userGroup->getLocalizedName() translate=false}
+		{fbvElement type="checkbox" id="reviewerGroup-$userGroupId" name="reviewerGroup[$userGroupId]" checked=$checked label=$userGroup->getLocalizedName()|escape translate=false}
 	{/if}
 {/foreach}