Security: Escape fields in template.

jmontoyaa · jmontoyaa · commit aced30eaed1c · 2020-04-24T09:53:48.000+02:00
diff --git a/main/template/default/social/user_block.tpl b/main/template/default/social/user_block.tpl
@@ -9,7 +9,10 @@
                     </a>
                     {% if _u.is_admin == 1 %}
                         <div class="pull-right">
-                            <a class="btn btn-default btn-sm btn-social-edit" title="{{ "Edit"|get_lang }}" href="{{ _p.web }}main/admin/user_edit.php?user_id={{ user.id }}">
+                            <a class="btn btn-default btn-sm btn-social-edit"
+                               title="{{ "Edit"|get_lang }}"
+                               href="{{ _p.web }}main/admin/user_edit.php?user_id={{ user.id }}"
+                            >
                                 <i class="fa fa-pencil" aria-hidden="true"></i>
                             </a>
                         </div>
@@ -99,11 +102,11 @@
                             {% set linkedin_url = '' %}
                             {% for extra in user.extra %}
                                 {% if extra.value.getField().getVariable() == 'skype' %}
-                                    {% set skype_account = extra.value.getValue() %}
+                                    {% set skype_account = extra.value.getValue() | escape %}
                                 {% endif %}
 
                                 {% if extra.value.getField().getVariable() == 'linkedin_url' %}
-                                    {% set linkedin_url = extra.value.getValue() %}
+                                    {% set linkedin_url = extra.value.getValue() | escape %}
                                 {% endif %}
                             {% endfor %}
 
@@ -127,7 +130,10 @@
                             {% if user.user_is_online_in_chat != 0 %}
                                 {% if user_relation == user_relation_type_friend %}
                                     <li class="item">
-                                        <a onclick="javascript:chatWith('{{ user.id }}', '{{ user.complete_name }}', '{{ user.user_is_online }}','{{ user.avatar_small }}')" href="javascript:void(0);">
+                                        <a
+                                            onclick="javascript:chatWith('{{ user.id }}', '{{ user.complete_name }}', '{{ user.user_is_online }}','{{ user.avatar_small }}')"
+                                            href="javascript:void(0);"
+                                        >
                                             <img src="{{ "online.png" | icon }}" alt="{{ "Online" | get_lang }}">
                                             {{ "Chat" | get_lang }} ({{ "Online" | get_lang }})
                                         </a>
@@ -145,11 +151,11 @@
                     </dl>
 
                     {% if not profile_edition_link is empty %}
-                    <li class="item">
-                        <a class="btn btn-default btn-sm btn-block" href="{{ profile_edition_link }}">
-                        <em class="fa fa-edit"></em>{{ "EditProfile" | get_lang }}
-                        </a>
-                    </li>
+                        <li class="item">
+                            <a class="btn btn-default btn-sm btn-block" href="{{ profile_edition_link }}">
+                            <em class="fa fa-edit"></em>{{ "EditProfile" | get_lang }}
+                            </a>
+                        </li>
                     {% endif %}
                     </ul>
                 </div>
