From 6f9e15ea578e1ab73c0328c928444c0169f961bc Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Wed, 2 Aug 2023 16:29:50 +0200
Subject: [PATCH] Remove escaping exception for form field values
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- This could allow code injection from a malicious query leading to a form page
- Thanks to Laura Pîrcălăboiu for the report
---
 view/templates/field_combobox.tpl              | 7 +++----
 view/templates/field_openid.tpl                | 3 +--
 view/templates/field_password.tpl              | 3 +--
 view/theme/frio/templates/field_colorinput.tpl | 3 +--
 view/theme/frio/templates/field_fileinput.tpl  | 3 +--
 view/theme/frio/templates/field_openid.tpl     | 3 +--
 view/theme/frio/templates/field_password.tpl   | 3 +--
 7 files changed, 9 insertions(+), 16 deletions(-)

diff --git a/view/templates/field_combobox.tpl b/view/templates/field_combobox.tpl
index 3e6e06052f..b62bf2dbac 100644
--- a/view/templates/field_combobox.tpl
+++ b/view/templates/field_combobox.tpl
@@ -1,4 +1,3 @@
-	
 	<div class='field combobox'>
 		<label for='id_{{$field.0}}' id='id_{{$field.0}}_label'>{{$field.1}}</label>
 		{{* html5 don't work on Chrome, Safari and IE9
@@ -6,13 +5,13 @@
 		<datalist id="data_{{$field.0}}">
 		   {{foreach $field.4 as $opt=>$val}}<option value="{{$val}}">{{/foreach}}
 		</datalist> *}}
-		
-		<input id="id_{{$field.0}}" type="text" value="{{$field.2 nofilter}}" aria-describedby='{{$field.0}}_tip'>
+
+		<input id="id_{{$field.0}}" type="text" value="{{$field.2}}" aria-describedby='{{$field.0}}_tip'>
 		<select id="select_{{$field.0}}" onChange="$('#id_{{$field.0}}').val($(this).val())">
 			<option value="">{{$field.5}}</option>
 			{{foreach $field.4 as $opt=>$val}}<option value="{{$val}}">{{$val}}</option>{{/foreach}}
 		</select>
-		
+
 		{{if $field.3}}
 		<span class="field_help" role="tooltip" id="{{$field.0}}_tip">{{$field.3 nofilter}}</span>
 		{{/if}}
diff --git a/view/templates/field_openid.tpl b/view/templates/field_openid.tpl
index 3c7d02bb8e..033a1f8e50 100644
--- a/view/templates/field_openid.tpl
+++ b/view/templates/field_openid.tpl
@@ -1,7 +1,6 @@
-	
 	<div class='field input openid' id='wrapper_{{$field.0}}'>
 		<label for='id_{{$field.0}}'>{{$field.1}}</label>
-		<input name='{{$field.0}}' id='id_{{$field.0}}' type="text" value="{{$field.2 nofilter}}" {{if $field.4}} readonly="readonly" {{/if}} aria-describedby='{{$field.0}}_tip'>
+		<input name='{{$field.0}}' id='id_{{$field.0}}' type="text" value="{{$field.2}}" {{if $field.4}} readonly="readonly" {{/if}} aria-describedby='{{$field.0}}_tip'>
 		{{if $field.3}}
 		<span class="field_help" role="tooltip" id="{{$field.0}}_tip">{{$field.3 nofilter}}</span>
 		{{/if}}
diff --git a/view/templates/field_password.tpl b/view/templates/field_password.tpl
index 07241fb11b..57149fe52d 100644
--- a/view/templates/field_password.tpl
+++ b/view/templates/field_password.tpl
@@ -1,7 +1,6 @@
-	
 	<div class="field password" id="wrapper_{{$field.0}}">
 		<label for="id_{{$field.0}}">{{$field.1}}{{if $field.4}} <span class="required" title="{{$field.4}}">*</span>{{/if}}</label>
-		<input type="password" name="{{$field.0}}" id="id_{{$field.0}}" value="{{$field.2 nofilter}}"{{if $field.4}} required{{/if}}{{if $field.5 eq "autofocus"}} autofocus{{elseif $field.5}} {{$field.5}}{{/if}}{{if $field.6}} pattern="(($field.6}}"{{/if}} aria-describedby="{{$field.0}}_tip">
+		<input type="password" name="{{$field.0}}" id="id_{{$field.0}}" value="{{$field.2}}"{{if $field.4}} required{{/if}}{{if $field.5 eq "autofocus"}} autofocus{{elseif $field.5}} {{$field.5}}{{/if}}{{if $field.6}} pattern="(($field.6}}"{{/if}} aria-describedby="{{$field.0}}_tip">
 		{{if $field.3}}
 		<span class="field_help" role="tooltip" id="{{$field.0}}_tip">{{$field.3 nofilter}}</span>
 		{{/if}}
diff --git a/view/theme/frio/templates/field_colorinput.tpl b/view/theme/frio/templates/field_colorinput.tpl
index 2c530a2e46..f812ff234b 100644
--- a/view/theme/frio/templates/field_colorinput.tpl
+++ b/view/theme/frio/templates/field_colorinput.tpl
@@ -1,9 +1,8 @@
-
 <div class="form-group field input color">
 	<label for="id_{{$field.0}}" id="label_{{$field.0}}">{{$field.1}}{{if $field.4}} <span class="required" title="{{$field.4}}">*</span>{{/if}}</label>
 	<div class="input-group" id="{{$field.0}}">
 		<span class="input-group-addon"><i></i></span>
-		<input class="form-control color" name="{{$field.0}}" id="id_{{$field.0}}" type="text" value="{{$field.2 nofilter}}"{{if $field.4}} required{{/if}} aria-describedby="{{$field.0}}_tip">
+		<input class="form-control color" name="{{$field.0}}" id="id_{{$field.0}}" type="text" value="{{$field.2}}"{{if $field.4}} required{{/if}} aria-describedby="{{$field.0}}_tip">
 	</div>
 	{{if $field.3}}
 	<span class="help-block" id="{{$field.0}}_tip" role="tooltip">{{$field.3 nofilter}}</span>
diff --git a/view/theme/frio/templates/field_fileinput.tpl b/view/theme/frio/templates/field_fileinput.tpl
index dd6825f2ee..96ae45596e 100644
--- a/view/theme/frio/templates/field_fileinput.tpl
+++ b/view/theme/frio/templates/field_fileinput.tpl
@@ -1,8 +1,7 @@
-
 <div class="form-group field input file">
 	<label for="id_{{$field.0}}" id="label_{{$field.0}}">{{$field.1}}{{if $field.4}} <span class="required" title="{{$field.4}}">*</span>{{/if}}</label>
 	<div class="input-group" id="{{$field.0}}">
-		<input class="form-control file" name="{{$field.0}}" id="id_{{$field.0}}" type="text" value="{{$field.2 nofilter}}"{{if $field.4}} required{{/if}} aria-describedby="{{$field.0}}_tip">
+		<input class="form-control file" name="{{$field.0}}" id="id_{{$field.0}}" type="text" value="{{$field.2}}"{{if $field.4}} required{{/if}} aria-describedby="{{$field.0}}_tip">
 		<span class="input-group-addon image-select"><i class="fa fa-picture-o"></i></span>
 	</div>
 	{{if $field.3}}
diff --git a/view/theme/frio/templates/field_openid.tpl b/view/theme/frio/templates/field_openid.tpl
index bae9cb4fc4..c36dbfabca 100644
--- a/view/theme/frio/templates/field_openid.tpl
+++ b/view/theme/frio/templates/field_openid.tpl
@@ -1,7 +1,6 @@
-
 <div id="id_{{$field.0}}_wrapper" class="form-group field input openid">
 	<label for="id_{{$field.0}}" id="label_{{$field.0}}">{{$field.1}}</label>
-	<input class="form-control" name="{{$field.0}}" id="id_{{$field.0}}" type="text" value="{{$field.2 nofilter}}" {{if $field.4}} readonly="readonly" {{/if}} aria-describedby="{{$field.0}}_tip">
+	<input class="form-control" name="{{$field.0}}" id="id_{{$field.0}}" type="text" value="{{$field.2}}" {{if $field.4}} readonly="readonly" {{/if}} aria-describedby="{{$field.0}}_tip">
 	{{if $field.3}}
 	<span class="help-block" id="{{$field.0}}_tip" role="tooltip">{{$field.3 nofilter}}</span>
 	{{/if}}
diff --git a/view/theme/frio/templates/field_password.tpl b/view/theme/frio/templates/field_password.tpl
index 25a7d0c4ce..0fb27ca88f 100644
--- a/view/theme/frio/templates/field_password.tpl
+++ b/view/theme/frio/templates/field_password.tpl
@@ -1,7 +1,6 @@
-
 <div id="id_{{$field.0}}_wrapper" class="form-group field input password">
 	<label for="id_{{$field.0}}" id="label_{{$field.0}}">{{$field.1}}{{if $field.4}} <span class="required" title="{{$field.4}}">*</span>{{/if}}</label>
-	<input class="form-control" name="{{$field.0}}" id="id_{{$field.0}}" type="password" value="{{$field.2 nofilter}}" {{if $field.4}} required{{/if}}{{if $field.5 eq "autofocus"}} autofocus{{elseif $field.5}} {{$field.5}}{{/if}}{{if $field.6}} pattern="{{$field.6}}"{{/if}} aria-describedby="{{$field.0}}_tip">
+	<input class="form-control" name="{{$field.0}}" id="id_{{$field.0}}" type="password" value="{{$field.2}}" {{if $field.4}} required{{/if}}{{if $field.5 eq "autofocus"}} autofocus{{elseif $field.5}} {{$field.5}}{{/if}}{{if $field.6}} pattern="{{$field.6}}"{{/if}} aria-describedby="{{$field.0}}_tip">
 	{{if $field.3}}
 	<span class="help-block" id="{{$field.0}}_tip" role="tooltip">{{$field.3 nofilter}}</span>
 	{{/if}}