templates: Hopefully escape all template inputs

2025-08-02 18:20:35 +02:00
parent 4125de8208
commit 4d2d0f9722
24 changed files with 116 additions and 116 deletions
--- a/src/root/users.tt
+++ b/src/root/users.tt
@@ -17,7 +17,7 @@
        <td><a class="row-link" [% HTML.attributes(href => c.uri_for(c.controller('User').action_for('edit'), [u.username])) %]>[% HTML.escape(u.username) %]</a></td>
        <td>[% HTML.escape(u.fullname) %]</td>
        <td>[% HTML.escape(u.emailaddress) %]</td>
-        <td>[% FOREACH r IN u.userroles %]<i>[% r.role %]</i> [% END %]</td>
+        <td>[% FOREACH r IN u.userroles %]<i>[% HTML.escape(r.role) %]</i> [% END %]</td>
        <td>[% IF u.emailonerror %]Yes[% ELSE %]No[% END %]</td>
      </tr>
    [% END %]