Some escaping

2013-07-09 13:55:29 +02:00 · 2013-07-09 13:55:29 +02:00 · 9aa44fa944
parent 895f21cfad
commit 9aa44fa944
1 changed files with 4 additions and 4 deletions
--- a/src/root/users.tt
+++ b/src/root/users.tt
@ -4,7 +4,7 @@
 <table class="table table-striped table-condensed clickable-rows">
  <thead>
    <tr>
-      <th>Username</th>
+      <th>User name</th>
      <th>Name</th>
      <th>Email</th>
      <th>Roles</th>
@ -14,9 +14,9 @@
  <tbody>
    [% FOREACH u IN users %]
      <tr>
-        <td><a class="row-link" href="[% c.uri_for(c.controller('User').action_for('edit'), [u.username]) %]">[% u.username %]</a></td>
-        <td>[% u.fullname %]</td>
-        <td>[% u.emailaddress %]</td>
+        <td><a class="row-link" href="[% c.uri_for(c.controller('User').action_for('edit'), [u.username]) %]">[% HTML.escape(u.username) %]</a></td>
+        <td>[% HTML.escape(u.fullname) %]</td>
+        <td>[% HTML.escape(u.emailaddress) %]</td>
        <td>[% FOREACH r IN u.userroles %]<i>[% r.role %]</i> [% END %]</td>
        <td>[% IF u.emailonerror %]Yes[% ELSE %]No[% END %]</td>
      </tr>