Merged in from DEV trunk...

KTS-2178 "cross site scripting" Implemented. Committed By: Conrad Reviewed By: Kevin git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/STABLE/trunk@6985 c91229c3-7414-0410-bfa2-8a42b809f60b

Merged in from DEV trunk...
KTS-2178 "cross site scripting" Implemented. Committed By: Conrad Reviewed By: Kevin git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/STABLE/trunk@6985 c91229c3-7414-0410-bfa2-8a42b809f60b
kevin_fourie
1 parent d79a6769
Showing 3 changed files with 4 additions and 4 deletions
templates/kt3/browse.smarty
templates/ktcore/assist/assist_notification.smarty
templates/ktcore/assist/assist_notification_details.smarty
@@ -44,7 +44,7 @@
   <input type="hidden" name="sListCode" value="{$code}" />
   <input type="hidden" name="action" value="bulkaction" />
   <input type="hidden" name="fReturnAction" value="{$returnaction}" />
-  <input type="hidden" name="fReturnData" value="{$returndata}" />
+  <input type="hidden" name="fReturnData" value="{$returndata|sanitize}" />
  
   {foreach from=$bulkactions item=bulkaction}
       <input type="submit" name="submit[{$bulkaction->getName()}]" value="{$bulkaction->getDisplayName()}" />
-<dt class="actionitem">{$subject}</dt>
+<dt class="actionitem">{$subject|sanitize}</dt>
 <dd class="actionmessage">
-    {i18n arg_name=$document_name arg_state=$state_name arg_user=$actor->getName()}A
+    {i18n arg_name=$document_name|sanitize arg_state=$state_name arg_user=$actor->getName()}A
     user, <b>#user#</b>, has requested help on the document <b>#name#</b>, and you are
     the owner or an admin of this document.{/i18n}
     <div class="actionoptions">
 <p class="descriptiveText">
-    {i18n arg_name=$document_name arg_state=$state_name arg_user=$actor->getName()}A
+    {i18n arg_name=$document_name|sanitize arg_state=$state_name arg_user=$actor->getName()}A
     user, <b>#user#</b>, has requested help on the document <b>#name#</b>, and you are
     the owner or an admin of this document.{/i18n}
 </p>