7 лет назад · 3eda357726
--- a/lib/views/admin/user-group-detail.html
+++ b/lib/views/admin/user-group-detail.html
@@ -1,11 +1,11 @@
 
				 {% extends '../layout/admin.html' %}
			
 
				 
			
 
				-{% block html_title %}{{ customTitle(t('UserGroup management') + '/' + userGroup.name) }}{% endblock %}
			
 
				+{% block html_title %}{{ customTitle(t('UserGroup management') + '/' + userGroup.name) | sanitize }}{% endblock %}
			
 
				 
			
 
				 {% block content_header %}
			
 
				 <div class="header-wrap">
			
 
				   <header id="page-header">
			
 
				-    <h1 class="title" id="">{{ t('UserGroup management') + '/' + userGroup.name }}</h1>
			
 
				+    <h1 class="title" id="">{{ t('UserGroup management') + '/' + userGroup.name | sanitize }}</h1>
			
 
				   </header>
			
 
				 </div>
			
 
				 {% endblock %}
			
--- a/lib/views/admin/user-groups.html
+++ b/lib/views/admin/user-groups.html
@@ -124,7 +124,7 @@
 
				             <td>
			
 
				               <img src="{{ sGroup|picture }}" class="picture img-circle" />
			
 
				             </td>
			
 
				-            <td><a href="{{ sGroupDetailPageUrl }}">{{ sGroup.name }}</a></td>
			
 
				+            <td><a href="{{ sGroupDetailPageUrl }}">{{ sGroup.name | sanitize }}</a></td>
			
 
				             <td><ul class="list-inline">
			
 
				               {% for relation in userGroupRelations.get(sGroup) %}
			
 
				               <li class="list-inline-item badge badge-primary">{{relation.relatedUser.username}}</li>
			
@@ -146,7 +146,7 @@
 
				                   <li>
			
 
				                     <a href="#"
			
 
				                         data-user-group-id="{{ sGroup._id.toString() }}"
			
 
				-                        data-user-group-name="{{ sGroup.name.toString() }}"
			
 
				+                        data-user-group-name="{{ sGroup.name.toString() | sanitize }}"
			
 
				                         data-target="#admin-delete-user-group-modal"
			
 
				                         data-toggle="modal">
			
 
				                       <i class="icon-fw icon-fire text-danger"></i> 削除する
			
--- a/lib/views/widget/page_alerts.html
+++ b/lib/views/widget/page_alerts.html
@@ -7,7 +7,7 @@
 
				       {% elseif page.grant == 4 %}
			
 
				         <i class="icon-fw icon-lock"></i><strong>{{ consts.pageGrants[page.grant] }}</strong> ({{ t('Browsing of this page is restricted') }})
			
 
				       {% elseif page.grant == 5 %}
			
 
				-        <i class="icon-fw icon-organization"></i><strong>'{{ pageRelatedGroup.name }}' only</strong> ({{ t('Browsing of this page is restricted') }})
			
 
				+        <i class="icon-fw icon-organization"></i><strong>'{{ pageRelatedGroup.name | sanitize }}' only</strong> ({{ t('Browsing of this page is restricted') }})
			
 
				       {% endif %}
			
 
				       </p>
			
 
				     {% endif %}
			
--- a/resource/js/components/PageEditor/GrantSelector.js
+++ b/resource/js/components/PageEditor/GrantSelector.js
@@ -2,6 +2,8 @@ import React from 'react';
 
				 import PropTypes from 'prop-types';
			
 
				 import { translate } from 'react-i18next';
			
 
				 
			
 
				+import * as entities from 'entities';
			
 
				+
			
 
				 import FormGroup from 'react-bootstrap/es/FormGroup';
			
 
				 import FormControl from 'react-bootstrap/es/FormControl';
			
 
				 import ListGroup from 'react-bootstrap/es/ListGroup';
			
@@ -81,7 +83,7 @@ class GrantSelector extends React.Component {
 
				 
			
 
				   getGroupName() {
			
 
				     const pageGrantGroup = this.state.pageGrantGroup;
			
 
				-    return pageGrantGroup ? pageGrantGroup.name : '';
			
 
				+    return pageGrantGroup ? entities.encodeHTML(pageGrantGroup.name) : '';
			
 
				   }
			
 
				 
			
 
				   /**