5c5d7eb04f
* Escape HTML in the location field of a calendar event post - This allowed script tags to be interpreted in the post display of an event. * Add form security token check to /admin/phpinfo module - This prevents basic XSS attacks against /admin/phpinfo * Add form security token check to /babel module - This prevents basic XSS attacks against /babel * Prevent pass-through for attachments - This addresses a straightforward Reflected XSS vulnerability if a malicious HTML/Javascript file is attached to a post through upload * Prevent overwriting cid on event edit - This allowed to share an event as any other user after zeroing the cid field of an existing event
35 lines
1.1 KiB
Smarty
35 lines
1.1 KiB
Smarty
<div id="babel" class="generic-page-wrapper">
|
|
<h2>{{$title}}</h2>
|
|
<form action="babel" method="post" class="panel panel-default">
|
|
<input type="hidden" name="form_security_token" value="{{$form_security_token}}">
|
|
<div class="panel-body">
|
|
<div class="form-group">
|
|
{{include file="field_textarea.tpl" field=$text}}
|
|
</div>
|
|
<div class="form-group">
|
|
{{include file="field_radio.tpl" field=$type_bbcode}}
|
|
{{include file="field_radio.tpl" field=$type_diaspora}}
|
|
{{include file="field_radio.tpl" field=$type_markdown}}
|
|
{{include file="field_radio.tpl" field=$type_html}}
|
|
{{if $flag_twitter}}
|
|
{{include file="field_radio.tpl" field=$type_twitter}}
|
|
{{/if}}
|
|
</div>
|
|
<p><button type="submit" class="btn btn-primary">{{$submit}}</button></p>
|
|
</div>
|
|
</form>
|
|
|
|
{{if $results}}
|
|
<div class="babel-results">
|
|
{{foreach $results as $result}}
|
|
<div class="panel panel-default">
|
|
<div class="panel-heading">
|
|
<h3 class="panel-title">{{$result.title}}</h3>
|
|
</div>
|
|
<div class="panel-body">{{$result.content nofilter}}</div>
|
|
</div>
|
|
{{/foreach}}
|
|
</div>
|
|
</div>
|
|
{{/if}}
|