Author: abusenius Date: 2010-08-18 18:23:50 +0200 (Wed, 18 Aug 2010) New Revision: 30693 Modified: platform/web/trunk/standard/src/main/webapp/templates/editclass.vm Log: Added missing escaping to class editor. Modified: platform/web/trunk/standard/src/main/webapp/templates/editclass.vm =================================================================== --- platform/web/trunk/standard/src/main/webapp/templates/editclass.vm 2010-08-18 16:12:24 UTC (rev 30692) +++ platform/web/trunk/standard/src/main/webapp/templates/editclass.vm 2010-08-18 16:23:50 UTC (rev 30693) @@ -36,10 +36,10 @@ #if($prevSpace != '') </optgroup> #end - <optgroup label="${classdoc.space}"> + <optgroup label="${escapetool.xml($classdoc.space)}"> #set($prevSpace = ${classdoc.space}) #end - <option value="$classdoc.getURL('edit', 'editor=class')">${classdoc.name}</option> + <option value="$classdoc.getURL('edit', 'editor=class')">${escapetool.xml($classdoc.name)}</option> #end #end #if($prevSpace != '') @@ -60,9 +60,9 @@ * Display a class property *# #macro(displayProperty $field) - <div id="xproperty_$field.name" class="xproperty #if($field.disabled)disabled#end"> + <div id="xproperty_${field.name}" class="xproperty #if($field.disabled)disabled#end"> <div id="xproperty_${field.name}_title" class="xproperty-title ${field.type}"> - <h2>$doc.displayView($field.xWikiClass.get('prettyName'), "${field.name}_" , $field) + <h2>$!{escapetool.xml($doc.displayView($field.xWikiClass.get('prettyName'), "${field.name}_" , $field))} ($doc.displayView($field.xWikiClass.get('name'), "${field.name}_" , $field): $xwiki.metaclass.get($field.classType).prettyName)</h2> <div class="tools propertyTools"><a href='$doc.getURL('propdelete', "propname=${field.name}")' title="$msg.get('core.editors.class.deleteProperty.tooltip', [${field.name}])" class="tool delete">$msg.get('core.editors.class.deleteProperty.text')</a></div> </div> @@ -76,9 +76,9 @@ #set($propDef = $field.xWikiClass.get($classprop)) #if($hiddenProperties.indexOf($propDef.name) == -1) #if($propDef.type.indexOf('Boolean') != -1) - <dt class="boolean-property"><label class="hidden" for="${field.name}_$classprop">$propDef.getPrettyName()</label>$doc.displayEdit($propDef, "${field.name}_" , $field) $propDef.getPrettyName()</dt> + <dt class="boolean-property"><label class="hidden" for="${field.name}_$classprop">${escapetool.xml($propDef.getPrettyName())}</label>$doc.displayEdit($propDef, "${field.name}_" , $field) $propDef.getPrettyName()</dt> #else - <dt><label for="${field.name}_$classprop">$propDef.getPrettyName() $!{propertyDetails.get($classprop)}</label></dt> + <dt><label for="${field.name}_$classprop">${escapetool.xml($propDef.getPrettyName())} $!{propertyDetails.get($classprop)}</label></dt> <dd>$doc.displayEdit($propDef, "${field.name}_" , $field)</dd> #end #end @@ -99,7 +99,7 @@ <label for="proptype" class="property-type-label">$msg.get('core.editors.class.addProperty.type.label'):</label> <select id="proptype" name="proptype" size="1"> #foreach($prop in $xwiki.metaclass.properties) - <option value="${prop.name}">${prop.prettyName}</option> + <option value="${prop.name}">${escapetool.xml($prop.prettyName)}</option> #end </select> <span class="buttonwrapper"> @@ -140,10 +140,10 @@ #editActionButton('preview', 'preview') </div> <div id="xwikiclassproperties"> - <div id="xclass_${class.name}" class="xclass"> - <div id="xclass_${class.name}_title" class="xclass-title"><h2>$class.name</h2></div> + <div id="xclass_${escapetool.xml($class.name)}" class="xclass"> + <div id="xclass_${escapetool.xml($class.name)}_title" class="xclass-title"><h2>${escapetool.xml($class.name)}</h2></div> #addPropertyForm() - <div id="xclass_${class.name}_content" class="xclass-content"><div id="xclassContent"> + <div id="xclass_${escapetool.xml($class.name)}_content" class="xclass-content"><div id="xclassContent"> #foreach ($field in $class.properties) #displayProperty($field) #end _______________________________________________ notifications mailing list notifications(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/notifications