Tweaks to escaping strategy in a couple places (#13500)

* Use correct filter in certain places in twig templates. * Another filter change. * Reverse encoding strategy in site selector. * Tweak to annotation escaping. * Fix couple more double encoding issues. * encode report name on unsubscription page * Escape site name in quickaccess directive.
author: diosmosis <diosmosis@users.noreply.github.com> 2018-10-11 23:02:44 +0300
committer: GitHub <noreply@github.com> 2018-10-11 23:02:44 +0300
commit: cdbf944146cea42a4725eb9fa814c51c7b32b17b (patch)
tree: f52355de561266281f8b9b6db5dd9e04f66f3286 /plugins
parent: 221a25f83989df5ea155fd2af6086bb48b280f28 (diff)
19 files changed, 23 insertions, 30 deletions
diff --git a/plugins/Annotations/templates/getEvolutionIcons.twig b/plugins/Annotations/templates/getEvolutionIcons.twig
index 1c0e441137..e024f3bef5 100644
--- a/plugins/Annotations/templates/getEvolutionIcons.twig
+++ b/plugins/Annotations/templates/getEvolutionIcons.twig
@@ -5,7 +5,7 @@
         <span data-date="{{ date }}" data-count="{{ counts.count }}" data-starred="{{ counts.starred }}"
               {% if counts.count == 0 %}title="{{ 'Annotations_AddAnnotationsFor'|translate(date) }}"
               {% elseif counts.count == 1 %}title="{{ 'Annotations_AnnotationOnDate'|translate(date,
-              counts.note)|raw }}
+                  (counts.note|e('html_attr')))|raw }}
 {{ 'Annotations_ClickToEditOrAdd'|translate }}"
               {% else %}}title="{{ 'Annotations_ViewAndAddAnnotations'|translate(date) }}"{% endif %}>
             <img src="plugins/Morpheus/images/{% if counts.starred > 0 %}annotations_starred.png{% else %}annotations.png{% endif %}" width="16" height="16"/>
diff --git a/plugins/CoreAdminHome/angularjs/trackingcode/jstrackingcode.controller.js b/plugins/CoreAdminHome/angularjs/trackingcode/jstrackingcode.controller.js
index 0eca1b96ad..5733e145ed 100644
--- a/plugins/CoreAdminHome/angularjs/trackingcode/jstrackingcode.controller.js
+++ b/plugins/CoreAdminHome/angularjs/trackingcode/jstrackingcode.controller.js
@@ -141,7 +141,7 @@
 
         this.changeSite = function (trackingCodeChangedManually) {
 
-            $('.current-site-name').html(self.site.name);
+            $('.current-site-name').text(self.site.name);
 
             getSiteData(this.site.id, '#js-code-options', function () {
 
diff --git a/plugins/CoreHome/angularjs/quick-access/quick-access.directive.html b/plugins/CoreHome/angularjs/quick-access/quick-access.directive.html
index db1ce349cb..374e3b1d8a 100644
--- a/plugins/CoreHome/angularjs/quick-access/quick-access.directive.html
+++ b/plugins/CoreHome/angularjs/quick-access/quick-access.directive.html
@@ -34,7 +34,7 @@
                 ng-mouseenter="search.index=(quickAccess.numMenuItems + $index)"
                 ng-class="{selected: (quickAccess.numMenuItems + $index) == search.index}"
                 ng-click="quickAccess.selectSite(site.idsite)"
-                ng-repeat="site in quickAccess.sitesModel.sites"><a ng-bind-html="site.name"></a></li>
+                ng-repeat="site in quickAccess.sitesModel.sites"><a ng-bind="site.name"></a></li>
         </ul>
     </div>
 </div>
diff --git a/plugins/CoreHome/angularjs/siteselector/siteselector-model.service.js b/plugins/CoreHome/angularjs/siteselector/siteselector-model.service.js
index 48f7bf2419..8814e669ec 100644
--- a/plugins/CoreHome/angularjs/siteselector/siteselector-model.service.js
+++ b/plugins/CoreHome/angularjs/siteselector/siteselector-model.service.js
@@ -37,13 +37,6 @@
 
             angular.forEach(sites, function (site) {
                 if (site.group) site.name = '[' + site.group + '] ' + site.name;
-                if (!site.name) {
-                    return;
-                }
-                // Escape site names, see https://github.com/piwik/piwik/issues/7531
-                site.name = site.name.replace(/[\u0000-\u2666]/g, function(c) {
-                    return '&#'+c.charCodeAt(0)+';';
-                });
             });
 
             model.sites = sortSites(sites);
diff --git a/plugins/CoreHome/angularjs/siteselector/siteselector.directive.html b/plugins/CoreHome/angularjs/siteselector/siteselector.directive.html
index acac9daffc..c794b133e9 100644
--- a/plugins/CoreHome/angularjs/siteselector/siteselector.directive.html
+++ b/plugins/CoreHome/angularjs/siteselector/siteselector.directive.html
@@ -16,13 +16,13 @@
     <a ng-click="view.showSitesList=!view.showSitesList; view.showSitesList && !model.isLoading && model.loadInitialSites();"
        piwik-onenter="view.showSitesList=!view.showSitesList; view.showSitesList && !model.isLoading && model.loadInitialSites();"
        href="javascript:void(0)"
-       title="{{ 'CoreHome_ChangeCurrentWebsite'|translate:((selectedSite.name || model.firstSiteName)|htmldecode) }}"
+       title="{{ 'CoreHome_ChangeCurrentWebsite'|translate:((selectedSite.name || model.firstSiteName)|escape) }}"
        ng-class="{'loading': model.isLoading}"
        class="title" tabindex="4">
         <span class="icon icon-arrow-bottom"
               ng-class="{'iconHidden': model.isLoading, 'collapsed': !view.showSitesList}"></span>
         <span>
-            <span ng-bind-html="selectedSite.name || model.firstSiteName" ng-if="selectedSite.name || !placeholder">?</span>
+            <span ng-bind="selectedSite.name || model.firstSiteName" ng-if="selectedSite.name || !placeholder">?</span>
             <span ng-if="!selectedSite.name && placeholder" class="placeholder">{{ placeholder }}</span>
         </span>
     </a>
@@ -55,8 +55,8 @@
                     ng-hide="!showSelectedSite && activeSiteId==site.idsite">
                     <a piwik-ignore-click href="{{ getUrlForSiteId(site.idsite) }}"
                        piwik-autocomplete-matched="view.searchTerm"
-                       title="{{ site.name|htmldecode }}"
-                       ng-bind-html="site.name" tabindex="4"></a>
+                       title="{{ site.name }}"
+                       ng-bind="site.name" tabindex="4"></a>
                 </li>
             </ul>
             <ul ng-show="!model.sites.length && view.searchTerm" class="ui-autocomplete ui-front ui-menu ui-widget ui-widget-content ui-corner-all siteSelect">
diff --git a/plugins/CoreHome/angularjs/siteselector/siteselector.directive.js b/plugins/CoreHome/angularjs/siteselector/siteselector.directive.js
index 9c4d887c6b..08ed160a4c 100644
--- a/plugins/CoreHome/angularjs/siteselector/siteselector.directive.js
+++ b/plugins/CoreHome/angularjs/siteselector/siteselector.directive.js
@@ -32,7 +32,7 @@
         var defaults = {
             name: '',
             siteid: piwik.idSite,
-            sitename: piwik.siteName,
+            sitename: piwik.helper.htmlDecode(piwik.siteName),
             allSitesLocation: 'bottom',
             allSitesText: $filter('translate')('General_MultiSitesSummary'),
             showSelectedSite: 'false',
diff --git a/plugins/CoreHome/templates/_dataTable.twig b/plugins/CoreHome/templates/_dataTable.twig
index 90864d105c..428f746004 100644
--- a/plugins/CoreHome/templates/_dataTable.twig
+++ b/plugins/CoreHome/templates/_dataTable.twig
@@ -41,7 +41,7 @@
     {% endif %}
 
     <div class="reportDocumentation">
-        {% if properties.documentation|default is not empty %}<p>{{ properties.documentation|raw }}</p>{% endif %}
+        {% if properties.documentation|default is not empty %}<p>{{ properties.documentation|rawSafeDecoded }}</p>{% endif %}
         {% if reportLastUpdatedMessage is defined and reportLastUpdatedMessage %}<span class='helpDate'>{{ reportLastUpdatedMessage|raw }}</span>{% endif %}
     </div>
 
diff --git a/plugins/CustomVariables/templates/_actionTooltip.twig b/plugins/CustomVariables/templates/_actionTooltip.twig
index 52084a4be5..3fbe510783 100644
--- a/plugins/CustomVariables/templates/_actionTooltip.twig
+++ b/plugins/CustomVariables/templates/_actionTooltip.twig
@@ -5,6 +5,6 @@
         {% set value = 'customVariablePageValue' ~ id %}
 
         {# line break above is important #}
-        - {{ customVariable[name]|raw }} {% if customVariable[value]|length > 0 %} = {{ customVariable[value]|raw }}{% endif %}
+        - {{ customVariable[name]|rawSafeDecoded }} {% if customVariable[value]|length > 0 %} = {{ customVariable[value]|rawSafeDecoded }}{% endif %}
     {% endfor %}
 {% endif -%}
 \ No newline at end of file
diff --git a/plugins/ExampleVisualization/templates/simpleTable.twig b/plugins/ExampleVisualization/templates/simpleTable.twig
index 6b0748711d..618736cc24 100644
--- a/plugins/ExampleVisualization/templates/simpleTable.twig
+++ b/plugins/ExampleVisualization/templates/simpleTable.twig
@@ -17,7 +17,7 @@
             {% for tableRow in dataTable.getRows %}
             <tr>
                 {% for column in properties.columns_to_display %}
-                    <td>{{ tableRow.getColumn(column)|default('-')|truncate(50)|raw }}</td>
+                    <td>{{ tableRow.getColumn(column)|default('-')|truncate(50)|rawSafeDecoded }}</td>
                 {% endfor %}
             </tr>
             {% endfor %}
diff --git a/plugins/Live/templates/_dataTableViz_visitorLog.twig b/plugins/Live/templates/_dataTableViz_visitorLog.twig
index eb09ee8730..02221fa485 100644
--- a/plugins/Live/templates/_dataTableViz_visitorLog.twig
+++ b/plugins/Live/templates/_dataTableViz_visitorLog.twig
@@ -8,7 +8,7 @@
             {% if visitor.getColumn('visitorId') is not empty and not clientSideParameters.hideProfileLink %}
                 <a class="visitor-log-visitor-profile-link visitorLogTooltip" title="{{ 'Live_ViewVisitorProfile'|translate }}" data-visitor-id="{{ visitor.getColumn("visitorId") }}">
                     <img src="plugins/Live/images/visitorProfileLaunch.png"/> <span>{{ 'Live_ViewVisitorProfile'|translate }}
-                        {%- if visitor.getColumn('userId') is not empty %}: {{ visitor.getColumn('userId')|raw }}{% endif %}</span>
+                        {%- if visitor.getColumn('userId') is not empty %}: {{ visitor.getColumn('userId')|rawSafeDecoded }}{% endif %}</span>
                 </a>
             {% endif %}
 
diff --git a/plugins/Live/templates/_visitorDetails.twig b/plugins/Live/templates/_visitorDetails.twig
index 6bcb5255d0..f0e22943ce 100644
--- a/plugins/Live/templates/_visitorDetails.twig
+++ b/plugins/Live/templates/_visitorDetails.twig
@@ -2,7 +2,7 @@
     {{ visitInfo.getColumn('serverDatePrettyFirstAction') }}
     {% if isWidget %}<br/>{% else %}-{% endif %} {{ visitInfo.getColumn('serverTimePrettyFirstAction') }}</strong>
 {% if visitInfo.getColumn('visitIp') is not empty %}
-<span class="visitor-log-ip-location visitorLogTooltip" title="{% if visitInfo.getColumn('userId') is not empty %}{{ 'General_UserId'|translate }}: {{ visitInfo.getColumn('userId')|raw }}
+<span class="visitor-log-ip-location visitorLogTooltip" title="{% if visitInfo.getColumn('userId') is not empty %}{{ 'General_UserId'|translate }}: {{ visitInfo.getColumn('userId')|rawSafeDecoded }}
 {% endif %}{% if visitInfo.getColumn('visitorId') is not empty %}{{ 'General_VisitorID'|translate }}: {{ visitInfo.getColumn('visitorId') }}
 {% endif %}{% if visitInfo.getColumn('idVisit') is not empty %}
 {{ 'General_Visit'|translate }} ID: {{ visitInfo.getColumn('idVisit') }}
@@ -15,7 +15,7 @@ GPS (lat/long): {{ visitInfo.getColumn('latitude') }},{{ visitInfo.getColumn('lo
     {% if visitInfo.getColumn('location') != 'General_Unknown'|translate %}<span><img width="16" class="flag" src="{{ visitInfo.getColumn('countryFlag') }}"/>&nbsp;
     {% if visitInfo.getColumn('city') is not empty %}{{ visitInfo.getColumn('city') }}{% else %}{{ visitInfo.getColumn('country') }}{% endif %}</span>{% endif %}
 
-    {% if visitInfo.getColumn('userId') is not empty %}<br/><br/>{{ visitInfo.getColumn('userId')|raw }}{% endif %}
+    {% if visitInfo.getColumn('userId') is not empty %}<br/><br/>{{ visitInfo.getColumn('userId')|rawSafeDecoded }}{% endif %}
 </span>{% endif %}
 {% if isWidget %}
     <br />
diff --git a/plugins/Live/templates/getVisitorProfilePopup.twig b/plugins/Live/templates/getVisitorProfilePopup.twig
index 96c95fc2f8..7949f12301 100644
--- a/plugins/Live/templates/getVisitorProfilePopup.twig
+++ b/plugins/Live/templates/getVisitorProfilePopup.twig
@@ -32,7 +32,7 @@
                                 {%- if visitorData.userId is empty %}
                                     {{ 'Live_VisitorProfile'|translate }}
                                 {%- else %}
-                                    <span title="{{ 'General_UserId'|translate }}: {{ visitorData.userId|raw }}">{{ visitorData.userId|raw }}</span>
+                                    <span title="{{ 'General_UserId'|translate }}: {{ visitorData.userId|rawSafeDecoded }}">{{ visitorData.userId|rawSafeDecoded }}</span>
                                 {% endif -%}
                             </h1>
                             {% if visitorData.nextVisitorId is not empty %}<a class="visitor-profile-next-visitor"
diff --git a/plugins/PrivacyManager/templates/privacySettings.twig b/plugins/PrivacyManager/templates/privacySettings.twig
index 819abea55e..7690ff6011 100644
--- a/plugins/PrivacyManager/templates/privacySettings.twig
+++ b/plugins/PrivacyManager/templates/privacySettings.twig
@@ -238,7 +238,7 @@
                         <br/>
                     {% endif %}
                     <strong>{{ 'PrivacyManager_NextDelete'|translate }}:</strong>
-                    {{ deleteData.nextRunPretty|raw }}
+                    {{ deleteData.nextRunPretty|rawSafeDecoded }}
                     <br/>
                     <br/>
                     <a id="purgeDataNowLink" href="#"
diff --git a/plugins/ScheduledReports/SubscriptionModel.php b/plugins/ScheduledReports/SubscriptionModel.php
index e15f3b6d26..f5937138d5 100644
--- a/plugins/ScheduledReports/SubscriptionModel.php
+++ b/plugins/ScheduledReports/SubscriptionModel.php
@@ -157,7 +157,7 @@ class SubscriptionModel
 
     private function removeSubscription($token)
     {
-        $this->getDb()->query('UPDATE ' . $this->table . ' SET token = "", ts_unsubscribed = NOW() WHERE token = ?', [$token]);
+        $this->getDb()->query('UPDATE ' . $this->table . ' SET token = NULL, ts_unsubscribed = NOW() WHERE token = ?', [$token]);
     }
 
     private function generateToken($email)
diff --git a/plugins/ScheduledReports/templates/_addReport.twig b/plugins/ScheduledReports/templates/_addReport.twig
index 076f18b10e..64cb2456b4 100644
--- a/plugins/ScheduledReports/templates/_addReport.twig
+++ b/plugins/ScheduledReports/templates/_addReport.twig
@@ -126,7 +126,7 @@
                                 <input type='{{ reportInputType }}' id="{{ reportType }}{{ report.uniqueId }}" report-unique-id='{{ report.uniqueId }}'
                                        name='{{ reportType }}Reports'/>
                                 <label for="{{ reportType }}{{ report.uniqueId }}">
-                                    {{ report.name|raw }}
+                                    {{ report.name|rawSafeDecoded }}
                                     {% if report.uniqueId=='MultiSites_getAll' %}
                                         <div class="entityInlineHelp">{{ 'ScheduledReports_ReportIncludeNWebsites'|translate(countWebsites)
                                             }}</div>
diff --git a/plugins/ScheduledReports/templates/_listReports.twig b/plugins/ScheduledReports/templates/_listReports.twig
index bf43a1d91a..9a04277869 100644
--- a/plugins/ScheduledReports/templates/_listReports.twig
+++ b/plugins/ScheduledReports/templates/_listReports.twig
@@ -40,7 +40,7 @@
     {% for report in reports %}
         <tr>
             <td class="first">
-                {{ report.description | raw }}
+                {{ report.description|rawSafeDecoded }}
                 {% if segmentEditorActivated and report.idsegment %}
                     <div class="entityInlineHelp" style="font-size: 9pt;">
                         {{ savedSegmentsById[report.idsegment] }}
diff --git a/plugins/ScheduledReports/templates/unsubscribe.twig b/plugins/ScheduledReports/templates/unsubscribe.twig
index d97bb7898b..14684cd010 100644
--- a/plugins/ScheduledReports/templates/unsubscribe.twig
+++ b/plugins/ScheduledReports/templates/unsubscribe.twig
@@ -36,13 +36,13 @@
                             <strong>{{ 'General_Error'|translate }}</strong>: {{ error|raw }}<br/>
                         </div>
                     {% elseif success is defined %}
-                        <p class="message">{{ 'ScheduledReports_SuccessfullyUnsubscribed'|translate('<strong>'~reportName~'</strong>')|raw }}</p>
+                        <p class="message">{{ 'ScheduledReports_SuccessfullyUnsubscribed'|translate('<strong>'~reportName|rawSafeDecoded~'</strong>')|raw }}</p>
                     {% else %}
                         <form method="POST" ng-non-bindable>
                             <div class="row">
                                 <div class="col s12">
                                     <br/>
-                                    <p>{{ 'ScheduledReports_UnsubscribeReportConfirmation'|translate('<strong>'~reportName~'</strong>')|raw }}</p>
+                                    <p>{{ 'ScheduledReports_UnsubscribeReportConfirmation'|translate('<strong>'~reportName|rawSafeDecoded~'</strong>')|raw }}</p>
                                     <br /><br /><br />
                                     <input type="hidden" name="nonce" id="unsubscribe_form_nonce" value="{{ nonce }}"/>
                                     <input class="submit btn" type="submit" name="confirm" value="{{ 'ScheduledReports_Unsubscribe'|translate }}"/>
diff --git a/plugins/UsersManager/templates/index.twig b/plugins/UsersManager/templates/index.twig
index ca58a66426..82237074a1 100644
--- a/plugins/UsersManager/templates/index.twig
+++ b/plugins/UsersManager/templates/index.twig
@@ -6,7 +6,7 @@
 
 <piwik-users-manager
     initial-site-id="{{ idSiteSelected }}"
-    initial-site-name="{{ defaultReportSiteName }}"
+    initial-site-name="{{ defaultReportSiteName|rawSafeDecoded }}"
     current-user-role="'{{ currentUserRole }}'"
     access-levels="{{ accessLevels|json_encode|e('html_attr') }}"
     filter-access-levels="{{ filterAccessLevels|json_encode|e('html_attr') }}"
diff --git a/plugins/UsersManager/templates/userSettings.twig b/plugins/UsersManager/templates/userSettings.twig
index 5ad0ffeee3..203039f8ad 100644
--- a/plugins/UsersManager/templates/userSettings.twig
+++ b/plugins/UsersManager/templates/userSettings.twig
@@ -58,7 +58,7 @@
              show-selected-site="true"
              class="sites_autocomplete"
              siteid="{{ defaultReportIdSite }}"
-             sitename="{{ defaultReportSiteName }}"
+             sitename="{{ defaultReportSiteName|rawSafeDecoded }}"
              switch-site-on-select="false"
              show-all-sites-item="false"
              showselectedsite="true"
author	diosmosis <diosmosis@users.noreply.github.com>	2018-10-11 23:02:44 +0300
committer	GitHub <noreply@github.com>	2018-10-11 23:02:44 +0300
commit	cdbf944146cea42a4725eb9fa814c51c7b32b17b (patch)
tree	f52355de561266281f8b9b6db5dd9e04f66f3286 /plugins
parent	221a25f83989df5ea155fd2af6086bb48b280f28 (diff)