エスケープ処理を付与

エスケープ漏れがあった場合でも、デフォルトフィルターによってサニタイズされるため実害は無いが、保険のためエスケープ処理を追加
EC-CUBE · Mar 28, 2022 · 44b9e46 · 44b9e46
1 parent 5d9bfd6
commit 44b9e46
Show file tree

Hide file tree

Showing 43 changed files with 154 additions and 154 deletions.
diff --git a/data/Smarty/templates/admin/basis/payment_input.tpl b/data/Smarty/templates/admin/basis/payment_input.tpl
@@ -79,10 +79,10 @@
                         <!--{assign var=key value="payment_image"}-->
                         <span class="attention"><!--{$arrErr[$key]}--></span>
                         <!--{if $arrFile[$key].filepath != ""}-->
-                        <img src="<!--{$arrFile[$key].filepath}-->" alt="<!--{$arrForm.name|h}-->">　<br /><a href="" onclick="eccube.setModeAndSubmit('delete_image', 'image_key', '<!--{$key}-->'); return false;">[画像の取り消し]</a><br />
+                        <img src="<!--{$arrFile[$key].filepath|h}-->" alt="<!--{$arrForm.name|h}-->">　<br /><a href="" onclick="eccube.setModeAndSubmit('delete_image', 'image_key', '<!--{$key|h}-->'); return false;">[画像の取り消し]</a><br />
                         <!--{/if}-->
-                        <input type="file" name="<!--{$key}-->" style="<!--{$arrErr[$key]|sfGetErrorColor}-->" />
-                        <a class="btn-normal" href="javascript:;" name="btn" onclick="eccube.setModeAndSubmit('upload_image', 'image_key', '<!--{$key}-->'); return false;">アップロード</a>
+                        <input type="file" name="<!--{$key|h}-->" style="<!--{$arrErr[$key]|sfGetErrorColor}-->" />
+                        <a class="btn-normal" href="javascript:;" name="btn" onclick="eccube.setModeAndSubmit('upload_image', 'image_key', '<!--{$key|h}-->'); return false;">アップロード</a>
                     </td>
                 </tr>
             </table>

diff --git a/data/Smarty/templates/admin/basis/point.tpl b/data/Smarty/templates/admin/basis/point.tpl
@@ -24,7 +24,7 @@
 
 <form name="point_form" id="point_form" method="post" action="">
     <input type="hidden" name="<!--{$smarty.const.TRANSACTION_ID_NAME}-->" value="<!--{$transactionid}-->" />
-    <input type="hidden" name="mode" value="<!--{$tpl_mode}-->" />
+    <input type="hidden" name="mode" value="<!--{$tpl_mode|h}-->" />
     <div id="basis" class="contents-main">
         <table>
             <tr>
@@ -51,7 +51,7 @@
 
         <div class="btn-area">
             <ul>
-                <li><a class="btn-action" href="javascript:;" onclick="eccube.fnFormModeSubmit('point_form', '<!--{$tpl_mode}-->', '', ''); return false;"><span class="btn-next">この内容で登録する</span></a></li>
+                <li><a class="btn-action" href="javascript:;" onclick="eccube.fnFormModeSubmit('point_form', '<!--{$tpl_mode|h}-->', '', ''); return false;"><span class="btn-next">この内容で登録する</span></a></li>
             </ul>
         </div>
     </div>

diff --git a/data/Smarty/templates/admin/basis/tradelaw.tpl b/data/Smarty/templates/admin/basis/tradelaw.tpl
@@ -24,7 +24,7 @@
 
 <form name="form1" id="form1" method="post" action="">
     <input type="hidden" name="<!--{$smarty.const.TRANSACTION_ID_NAME}-->" value="<!--{$transactionid}-->" />
-    <input type="hidden" name="mode" value="<!--{$tpl_mode}-->" />
+    <input type="hidden" name="mode" value="<!--{$tpl_mode|h}-->" />
     <div id="basis" class="contents-main">
         <table class="form">
             <tr>
@@ -197,7 +197,7 @@
 
         <div class="btn-area">
             <ul>
-                <li><a class="btn-action" href="javascript:;" onclick="eccube.fnFormModeSubmit('form1', '<!--{$tpl_mode}-->', '', ''); return false;"><span class="btn-next">この内容で登録する</span></a></li>
+                <li><a class="btn-action" href="javascript:;" onclick="eccube.fnFormModeSubmit('form1', '<!--{$tpl_mode|h}-->', '', ''); return false;"><span class="btn-next">この内容で登録する</span></a></li>
             </ul>
         </div>
     </div>

diff --git a/data/Smarty/templates/admin/contents/file_manager.tpl b/data/Smarty/templates/admin/contents/file_manager.tpl
@@ -25,7 +25,7 @@
 <script type="text/javascript">//<![CDATA[
     $(function() {
         var bread_crumbs = <!--{$tpl_now_dir}-->;
-        var file_path = '<!--{$tpl_file_path}-->';
+        var file_path = '<!--{$tpl_file_path|h}-->';
         var $delimiter = '<span>&nbsp;&gt;&nbsp;</span>';
         var $node = $('h2');
         var total = bread_crumbs.length;
@@ -114,7 +114,7 @@
                         </td>
                         <!--{if $arrFileList[cnt].is_dir}-->
                             <td class="center">
-                                <a href="javascript:;" onclick="eccube.setValue('tree_select_file', '<!--{$arrFileList[cnt].file_path}-->', 'form1'); eccube.fileManager.selectFile('<!--{$id|h}-->', '#808080');eccube.setModeAndSubmit('move','',''); return false;">表示</a>
+                                <a href="javascript:;" onclick="eccube.setValue('tree_select_file', '<!--{$arrFileList[cnt].file_path|h}-->', 'form1'); eccube.fileManager.selectFile('<!--{$id|h}-->', '#808080');eccube.setModeAndSubmit('move','',''); return false;">表示</a>
                             </td>
                         <!--{else}-->
                             <td class="center">

diff --git a/data/Smarty/templates/admin/contents/recommend_search.tpl b/data/Smarty/templates/admin/contents/recommend_search.tpl
@@ -58,11 +58,11 @@ function func_submit( id ){
         </tr>
         <tr>
             <th>商品コード</th>
-            <td><input type="text" name="search_product_code" value="<!--{$arrForm.search_product_code}-->" size="35" class="box35" /></td>
+            <td><input type="text" name="search_product_code" value="<!--{$arrForm.search_product_code|h}-->" size="35" class="box35" /></td>
         </tr>
         <tr>
             <th>商品名</th>
-            <td><input type="text" name="search_name" value="<!--{$arrForm.search_name}-->" size="35" class="box35" /></td>
+            <td><input type="text" name="search_name" value="<!--{$arrForm.search_name|h}-->" size="35" class="box35" /></td>
         </tr>
         <tr>
             <th>商品ステータス</th>

diff --git a/data/Smarty/templates/admin/customer/edit.tpl b/data/Smarty/templates/admin/customer/edit.tpl
@@ -267,7 +267,7 @@
         </div>
 
         <input type="hidden" name="order_id" value="" />
-        <input type="hidden" name="search_pageno" value="<!--{$tpl_pageno}-->" />
+        <input type="hidden" name="search_pageno" value="<!--{$tpl_pageno|h}-->" />
         <input type="hidden" name="edit_customer_id" value="<!--{$edit_customer_id|h}-->" />
 
         <h2>購入履歴一覧</h2>

diff --git a/data/Smarty/templates/admin/design/bloc.tpl b/data/Smarty/templates/admin/design/bloc.tpl
@@ -59,7 +59,7 @@
                 <td colspan="2">
                     <!--{assign var=key value="bloc_html"}-->
                     <textarea class="top" id="<!--{$key}-->" name="<!--{$key}-->" rows="<!--{$text_row}-->" style="width: 99%;"><!--{"\n"}--><!--{$arrForm[$key].value|h nofilter}--></textarea>
-                    <input type="hidden" name="html_area_row" value="<!--{$text_row}-->" />
+                    <input type="hidden" name="html_area_row" value="<!--{$text_row|h}-->" />
                     <div>
                         <a id="resize-btn" class="btn-normal" href="javascript:;" onclick="eccube.toggleRows('#resize-btn', '#bloc_html', 50, 13); return false;">拡大</a>
                     </div>

diff --git a/data/Smarty/templates/admin/design/css.tpl b/data/Smarty/templates/admin/design/css.tpl
@@ -52,7 +52,7 @@
                 <td>
                     <!--{assign var=key value="css_data"}-->
                     <textarea id="css" class="top" name="<!--{$key}-->" cols="90" rows="<!--{$area_row}-->" align="left" style="width: 650px;"><!--{"\n"}--><!--{$arrForm[$key].value|h}--></textarea>
-                    <input type="hidden" name="area_row" value="<!--{$area_row}-->" />
+                    <input type="hidden" name="area_row" value="<!--{$area_row|h}-->" />
                     <div class="btn">
                         <a id="resize-btn" class="btn-normal" href="javascript:;" onclick="eccube.toggleRows('#resize-btn', '#css', 50, 30); return false;">拡大</a>
                     </div>

diff --git a/data/Smarty/templates/admin/design/header.tpl b/data/Smarty/templates/admin/design/header.tpl
@@ -36,7 +36,7 @@
         <input type="hidden" name="<!--{$smarty.const.TRANSACTION_ID_NAME}-->" value="<!--{$transactionid}-->" />
         <input type="hidden" name="mode" value="" />
         <input type="hidden" name="division" value="header" />
-        <input type="hidden" name="header_row" value="<!--{$header_row}-->" />
+        <input type="hidden" name="header_row" value="<!--{$header_row|h}-->" />
         <input type="hidden" name="device_type_id" value="<!--{$device_type_id|h}-->" />
 
         <textarea id="header-area" class="top" name="header" rows="<!--{$header_row}-->" style="width: 100%;"><!--{"\n"}--><!--{$header_data|h nofilter}--></textarea>
@@ -59,7 +59,7 @@
         <input type="hidden" name="<!--{$smarty.const.TRANSACTION_ID_NAME}-->" value="<!--{$transactionid}-->" />
         <input type="hidden" name="mode" value="" />
         <input type="hidden" name="division" value="footer" />
-        <input type="hidden" name="footer_row" value="<!--{$footer_row}-->" />
+        <input type="hidden" name="footer_row" value="<!--{$footer_row|h}-->" />
         <input type="hidden" name="device_type_id" value="<!--{$device_type_id|h}-->" />
 
         <textarea id="footer-area" class="top" name="footer" rows="<!--{$footer_row}-->" style="width: 100%;"><!--{"\n"}--><!--{$footer_data|h nofilter}--></textarea>

diff --git a/data/Smarty/templates/admin/design/main_edit.tpl b/data/Smarty/templates/admin/design/main_edit.tpl
@@ -82,7 +82,7 @@ function fnTargetSelf(){
                 <label for="footer-chk"><input type="checkbox" name="footer_chk" id="footer-chk" value="1" <!--{if $arrForm.footer_chk.value == "1"}-->checked="checked"<!--{/if}--> />共通のフッターを使用する</label>
                 <div>
                     <textarea id="tpl_data" class="top" name="tpl_data" rows="<!--{$text_row}-->" style="width: 98%;"><!--{"\n"}--><!--{$arrForm.tpl_data.value|h nofilter}--></textarea>
-                    <input type="hidden" name="html_area_row" value="<!--{$text_row}-->" /><br />
+                    <input type="hidden" name="html_area_row" value="<!--{$text_row|h}-->" /><br />
                     <a id="resize-btn" class="btn-normal" href="javascript:;" onclick="eccube.toggleRows('#resize-btn', '#tpl_data', 50, 13); return false;"><span>拡大</span></a>
                 </div>
             </td>

diff --git a/data/Smarty/templates/admin/design/template.tpl b/data/Smarty/templates/admin/design/template.tpl
@@ -71,8 +71,8 @@ function submitRegister() {
                 <td><input type="radio" name="template_code" value="<!--{$tplcode|h}-->" <!--{if $tplcode == $tpl_select}-->checked="checked"<!--{/if}--> /></td>
                 <td class="left"><!--{$tpl.template_name|h}--></td>
                 <td class="left">data/Smarty/templates/<!--{$tplcode|h}-->/</td>
-                <td><span class="icon_confirm"><a href="javascript:;" onclick="eccube.fnFormModeSubmit('form2', 'download','template_code','<!--{$tplcode}-->');return false;">ダウンロード</a></span></td>
-                <td><span class="icon_delete"><a href="javascript:;" onclick="eccube.fnFormModeSubmit('form2', 'delete','template_code','<!--{$tplcode}-->');return false;">削除</a></span></td>
+                <td><span class="icon_confirm"><a href="javascript:;" onclick="eccube.fnFormModeSubmit('form2', 'download','template_code','<!--{$tplcode|h}-->');return false;">ダウンロード</a></span></td>
+                <td><span class="icon_delete"><a href="javascript:;" onclick="eccube.fnFormModeSubmit('form2', 'delete','template_code','<!--{$tplcode|h}-->');return false;">削除</a></span></td>
             </tr>
             <!--{/foreach}-->
         </table>

diff --git a/data/Smarty/templates/admin/mail/input.tpl b/data/Smarty/templates/admin/mail/input.tpl
@@ -34,7 +34,7 @@
     <!--{/if}-->
 <!--{/foreach}-->
 <input type="hidden" name="mode" value="template" />
-<input type="hidden" name="mail_method" value="<!--{$arrForm.mail_method.value}-->" />
+<input type="hidden" name="mail_method" value="<!--{$arrForm.mail_method.value|h}-->" />
 <div id="mail" class="contents-main">
     <table class="form">
         <tr>

diff --git a/data/Smarty/templates/admin/mail/template_input.tpl b/data/Smarty/templates/admin/mail/template_input.tpl
@@ -24,7 +24,7 @@
 
 <form name="form1" id="form1" method="post" action="?">
     <input type="hidden" name="<!--{$smarty.const.TRANSACTION_ID_NAME}-->" value="<!--{$transactionid}-->" />
-    <input type="hidden" name="mode" value="<!--{$mode}-->" />
+    <input type="hidden" name="mode" value="<!--{$mode|h}-->" />
     <input type="hidden" name="template_id" value="<!--{$arrForm.template_id|h}-->" />
     <div id="mail" class="contents-main">
         <table class="form">
@@ -56,7 +56,7 @@
         </table>
         <div class="btn-area">
             <ul>
-                <li><a class="btn-action" href="javascript:;" onclick="eccube.fnFormModeSubmit('form1', '<!--{$mode}-->', '', ''); return false;"><span class="btn-next">この内容で登録する</span></a></li>
+                <li><a class="btn-action" href="javascript:;" onclick="eccube.fnFormModeSubmit('form1', '<!--{$mode|h}-->', '', ''); return false;"><span class="btn-next">この内容で登録する</span></a></li>
             </ul>
         </div>
     </div>