Merge pull request #430 from ikedas/issue-428 by ikedas

Template strings passed to javascript were not escaped

default/web_tt2/head_javascript.tt2

@@ -10,19 +10,19 @@
 <!--
 [%# A few configuration settings and miscellaneous vars. ~%]
 var sympa = {
-    backText:           "[%|loc%]Back[%END%]",
-    calendarButtonText: "[%|loc%]Calendar[%END%]",
+    backText:           '[%"Back"|loc|escape_cstr%]',
+    calendarButtonText: '[%"Calendar"|loc|escape_cstr%]',
     calendarFirstDay:   0,
-    closeText:          "[%|loc%]Close[%END%]",
-    dayNames:           "[%|loc%]Sunday:Monday:Tuesday:Wednesday:Thursday:Friday:Saturday[%END%]".split(":"),
-    dayNamesMin:        "[%|loc%]Su:Mo:Tu:We:Th:Fr:Sa[%END%]".split(":"),
-    home_url:           '[% path_cgi %]/',
-    icons_url:          '[% icons_url %]',
-    lang:               '[% lang %]',
-    loadingText:        "[%|loc%]Please Wait...[%END%]",
-    monthNamesShort:    "[%|loc%]Jan:Feb:Mar:Apr:May:Jun:Jul:Aug:Sep:Oct:Nov:Dec[%END%]".split(":"),
-    openInNewWinText:   "[%|loc%]Open in a new window[%END%]",
-    resetText:          "[%|loc%]Reset[%END%]"
+    closeText:          '[%"Close"|loc|escape_cstr%]',
+    dayNames:           '[%"Sunday:Monday:Tuesday:Wednesday:Thursday:Friday:Saturday"|loc|escape_cstr%]'.split(":"),
+    dayNamesMin:        '[%"Su:Mo:Tu:We:Th:Fr:Sa"|loc|escape_cstr%]'.split(":"),
+    home_url:           '[% path_cgi | escape_cstr %]/',
+    icons_url:          '[% icons_url | escape_cstr %]',
+    lang:               '[% lang | escape_cstr %]',
+    loadingText:        '[%"Please Wait..."|loc|escape_cstr%]',
+    monthNamesShort:    '[%"Jan:Feb:Mar:Apr:May:Jun:Jul:Aug:Sep:Oct:Nov:Dec"|loc|escape_cstr%]'.split(":"),
+    openInNewWinText:   '[%"Open in a new window"|loc|escape_cstr%]',
+    resetText:          '[%"Reset"|loc|escape_cstr%]'
 };
 [%# Variable for backward compatibility. ~%]
 var lang = '[% lang %]';

default/web_tt2/stats.tt2

@@ -21,7 +21,7 @@
     <!--
       var line = [% o.stats_values %];
       $.jqplot('[% chartid %]', [line], {
-        title: '[% o.title %]',
+        title: '[% o.title | escape_cstr %]',
         axesDefaults: {
           min: 0,
           tickRenderer: $.jqplot.CanvasAxisTickRenderer,

src/lib/Sympa/Template.pm

@@ -102,11 +102,18 @@ sub _escape_xml {
 }
 
 # Old name: tt2::escape_quote().
-sub _escape_quote {
+# No longer used.  Use _escape_cstr().
+#sub _escape_quote;
+
+sub _escape_cstr {
     my $string = shift;
 
-    $string =~ s/\'/\\\'/g;
-    $string =~ s/\"/\\\"/g;
+    $string =~ s{([\t\n\r\'\"\\])}{
+        ($1 eq "\t") ? "\\t" : 
+        ($1 eq "\n") ? "\\n" : 
+        ($1 eq "\r") ? "\\r" : 
+        "\\$1"
+    }eg;
 
     return $string;
 }
@@ -335,12 +342,12 @@ sub parse {
             mailtourl => [\&_mailtourl, 1],
             obfuscate => [\&_obfuscate, 1],
             optdesc => [sub { shift; $self->_optdesc_func(@_) }, 1],
-            qencode      => [\&qencode,       0],
-            escape_xml   => [\&_escape_xml,   0],
-            escape_url   => [\&_escape_url,   0],
-            escape_quote => [\&_escape_quote, 0],
-            decode_utf8  => [\&decode_utf8,   0],
-            encode_utf8  => [\&encode_utf8,   0],
+            qencode     => [\&qencode,      0],
+            escape_cstr => [\&_escape_cstr, 0],
+            escape_xml  => [\&_escape_xml,  0],
+            escape_url  => [\&_escape_url,  0],
+            decode_utf8 => [\&decode_utf8,  0],
+            encode_utf8 => [\&encode_utf8,  0],
             url_abs => [sub { shift; $self->_url_func(1, $data, @_) }, 1],
             url_rel => [sub { shift; $self->_url_func(0, $data, @_) }, 1],
             canonic_email => \&Sympa::Tools::Text::canonic_email,
@@ -514,10 +521,19 @@ No longer used.
 
 No longer used.
 
+=item escape_cstr
+
+Applies C-style escaping of a string (not enclosed by quotes).
+
+This filter was added on Sympa 6.2.38.
+
 =item escape_quote
 
 Escape quotation marks.
 
+B<Deprecated>.
+Use escape_cstr.
+
 =item escape_url
 
 Escapes URL.