#26137 fix rt comment : use escape in view

e3b8a5ab · Ghislain Loas · 15b49eb6 · e3b8a5ab · e3b8a5ab
Commit e3b8a5ab authored 9 years ago by Ghislain Loas
--- a/application/modules/admin/views/scripts/modo/formulaires.phtml
+++ b/application/modules/admin/views/scripts/modo/formulaires.phtml
 <h1><?php echo $this->_('Modération des formulaires: '.$this->article->getTitre());?></h1>
-<?php 
+<?php
 if($this->liste==='all')
 echo $this->tagAnchor($this->url(['module'=>'admin',
                                  'controller'=>'modo',
@@ -31,8 +31,8 @@ echo $this->tagAnchor($this->url(['module'=>'admin',
    <thead>
      <tr>
        <th><?php echo $this->_('Date') ?></th>
-        <th><?php echo $this->_('Posté par') ?></th> 
-        <th><?php echo $this->_('Bibliothèque') ?></th> 
+        <th><?php echo $this->_('Posté par') ?></th>
+        <th><?php echo $this->_('Bibliothèque') ?></th>
        <?php foreach($data_names as $name) echo '<th>'.$name.'</th>'; ?>
          <th><?php echo $this->_('Actions') ?></th>
      </tr>
@@ -40,14 +40,14 @@ echo $this->tagAnchor($this->url(['module'=>'admin',
    <tbody>
      <?php
      foreach($this->formulaires as $formulaire) {
-        $datas = [$this->humanDate($formulaire->getDateCreation(), 'dd/MM/yyyy'), 
-                  $formulaire->getCompte(), 
+        $datas = [$this->humanDate($formulaire->getDateCreation(), 'dd/MM/yyyy'),
+                  $formulaire->getCompte(),
                  $formulaire->getLibelleBib()];
        foreach($data_names as $name)
        $datas[]=$formulaire->getDataNamed($name);

        echo '<tr>';
-        foreach($datas as $data) echo '<td>'.$data.'</td>';
+        foreach($datas as $data) echo '<td>' . $this->escape($data) . '</td>';

        echo '<td>';
        echo $this->tagAnchor(['action' => 'visualiser-reponse-ajax',
@@ -59,7 +59,7 @@ echo $this->tagAnchor($this->url(['module'=>'admin',
        echo $this->tagAnchor(['action' => 'validate-formulaire',
                               'id' => $formulaire->getId()],
                              $this->boutonIco('type=validate'));
-        
+
        echo '</td>';
        echo '</tr>';
      }

--- a/library/Class/Formulaire.php
+++ b/library/Class/Formulaire.php
@@ -107,7 +107,7 @@ class Class_Formulaire extends Storm_Model_Abstract {

  public function getDataNamed($name) {
    $datas = array_change_key_case($this->getDatas());
-    return isset($datas[$name]) ? strip_tags($datas[$name]) : '' ;
+    return isset($datas[$name]) ? $datas[$name] : '' ;
  }