From 4aa6c05aa944803c66757d8294a4dfa8f8e642cd Mon Sep 17 00:00:00 2001
From: Leon Klingele <leon@struktur.de>
Date: Mon, 14 Aug 2017 15:25:01 +0200
Subject: [PATCH] Fix XSS issues by using 'p' instead of 'print_unescaped'

---
 templates/form.php     | 12 ++++++------
 templates/message.php  |  2 +-
 templates/register.php | 22 +++++++++++-----------
 3 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/templates/form.php b/templates/form.php
index 0fdf699..8b392fc 100644
--- a/templates/form.php
+++ b/templates/form.php
@@ -13,7 +13,7 @@ if ( \OCP\Util::getVersion()[0] >= 12 )
 		</ul>
 		<?php } else { ?>
 		<ul class="msg">
-			<li><?php print_unescaped($l->t('Welcome, you can create your account below.')); ?></li>
+			<li><?php p($l->t('Welcome, you can create your account below.'));?></li>
 		</ul>
 		<?php } ?>
 		<p class="grouptop">
@@ -23,18 +23,18 @@ if ( \OCP\Util::getVersion()[0] >= 12 )
 		</p>
 
 		<p class="groupmiddle">
-		<input type="text" name="username" id="username" value="<?php echo $_['entered_data']['user']; ?>" placeholder="<?php print_unescaped($l->t('Username')); ?>" />
-		<label for="username" class="infield"><?php print_unescaped($l->t('Username')); ?></label>
+		<input type="text" name="username" id="username" value="<?php echo $_['entered_data']['user']; ?>" placeholder="<?php p($l->t('Username')); ?>" />
+		<label for="username" class="infield"><?php p($l->t('Username')); ?></label>
 		<img id="username-icon" class="svg" src="<?php print_unescaped(image_path('', 'actions/user.svg')); ?>" alt=""/>
 		</p>
 
 		<p class="groupbottom">
-		<input type="password" name="password" id="password" placeholder="<?php print_unescaped($l->t('Password')); ?>"/>
-		<label for="password" class="infield"><?php print_unescaped($l->t( 'Password' )); ?></label>
+		<input type="password" name="password" id="password" placeholder="<?php p($l->t('Password')); ?>"/>
+		<label for="password" class="infield"><?php p($l->t( 'Password' )); ?></label>
 		<img id="password-icon" class="svg" src="<?php print_unescaped(image_path('', 'actions/password.svg')); ?>" alt=""/>
 		<input id="show" name="show" type="checkbox">
 		<label style="display: inline;" for="show"></label>
 		</p>
-		<input type="submit" id="submit" value="<?php print_unescaped($l->t('Create account')); ?>" />
+		<input type="submit" id="submit" value="<?php p($l->t('Create account')); ?>" />
 	</fieldset>
 </form>
diff --git a/templates/message.php b/templates/message.php
index 7813d9f..5b3d60c 100644
--- a/templates/message.php
+++ b/templates/message.php
@@ -2,5 +2,5 @@
 \OCP\Util::addStyle('registration', 'style');
 ?>
 <ul class="msg error-wide">
-	<li><?php print_unescaped($_['msg']) ?></li>
+	<li><?php p($_['msg'])?></li>
 </ul>
diff --git a/templates/register.php b/templates/register.php
index 155ca8e..935b884 100644
--- a/templates/register.php
+++ b/templates/register.php
@@ -6,22 +6,22 @@ if ($_['entered']): ?>
 	<?php if (empty($_['errormsg'])): ?>
 		<ul class="success">
 			<li>
-			<?php print_unescaped($l->t('Thank you for registering, you should receive a verification link in a few minutes.')); ?>
+			<?php p($l->t('Thank you for registering, you should receive a verification link in a few minutes.')); ?>
 			</li>
 		</ul>
 	<?php else: ?>
 		<form action="<?php print_unescaped(\OC::$server->getURLGenerator()->linkToRoute('registration.register.validateEmail')) ?>" method="post">
 			<fieldset>
 				<ul class="error">
-					<li><?php print_unescaped($_['errormsg']); ?></li>
+					<li><?php p($_['errormsg']); ?></li>
 				</ul>
 				<p class="groupofone">
-					<input type="email" name="email" id="email" placeholder="<?php print_unescaped($l->t('Email')); ?>" value="" required autofocus />
-					<label for="email" class="infield"><?php print_unescaped($l->t( 'Email' )); ?></label>
+					<input type="email" name="email" id="email" placeholder="<?php p($l->t('Email')); ?>" value="" required autofocus />
+					<label for="email" class="infield"><?php p($l->t( 'Email' )); ?></label>
 					<img id="email-icon" class="svg" src="<?php print_unescaped(image_path('', 'actions/mail.svg')); ?>" alt=""/>
 				</p>
 				<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']); ?>" />
-				<input type="submit" id="submit" value="<?php print_unescaped($l->t('Request verification link')); ?>" />
+				<input type="submit" id="submit" value="<?php p($l->t('Request verification link')); ?>" />
 			</fieldset>
 		</form>
 	<?php endif; ?>
@@ -30,21 +30,21 @@ if ($_['entered']): ?>
 		<fieldset>
 			<?php if ($_['errormsg']): ?>
 				<ul class="error">
-					<li><?php print_unescaped($_['errormsg']); ?></li>
-					<li><?php print_unescaped($l->t('Please re-enter a valid email address')); ?></li>
+					<li><?php p($_['errormsg']); ?></li>
+					<li><?php p($l->t('Please re-enter a valid email address')); ?></li>
 				</ul>
 			<?php else: ?>
 				<ul class="msg">
-					<li><?php print_unescaped($l->t('You will receive an email with a verification link')); ?></li>
+					<li><?php p($l->t('You will receive an email with a verification link')); ?></li>
 				</ul>
 			<?php endif; ?>
 			<p class="groupofone">
-			<input type="email" name="email" id="email" placeholder="<?php print_unescaped($l->t('Email')); ?>" value="" required autofocus />
-				<label for="email" class="infield"><?php print_unescaped($l->t('Email')); ?></label>
+			<input type="email" name="email" id="email" placeholder="<?php p($l->t('Email')); ?>" value="" required autofocus />
+				<label for="email" class="infield"><?php p($l->t('Email')); ?></label>
 				<img id="email-icon" class="svg" src="<?php print_unescaped(image_path('', 'actions/mail.svg')); ?>" alt=""/>
 			</p>
 			<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']); ?>" />
-			<input type="submit" id="submit" value="<?php print_unescaped($l->t('Request verification link')); ?>" />
+			<input type="submit" id="submit" value="<?php p($l->t('Request verification link')); ?>" />
 		</fieldset>
 	</form>
 <?php endif; ?>