数値項目にエスケープ処理を付与

エスケープ漏れがあった場合でも、デフォルトフィルターによってサニタイズされるため実害は無いが、保険のためエスケープ処理を追加
EC-CUBE · Mar 24, 2022 · 5d9bfd6 · 5d9bfd6
1 parent 0c0c25a
commit 5d9bfd6
Show file tree

Hide file tree

Showing 57 changed files with 159 additions and 159 deletions.
diff --git a/data/Smarty/templates/admin/basis/delivery.tpl b/data/Smarty/templates/admin/basis/delivery.tpl
@@ -50,16 +50,16 @@
                 <tr>
                     <td><!--{$arrDelivList[cnt].name|h}--></td>
                     <td><!--{$arrDelivList[cnt].service_name|h}--></td>
-                    <td align="center"><a href="?" onclick="eccube.changeAction('./delivery_input.php'); eccube.setModeAndSubmit('pre_edit', 'deliv_id', <!--{$arrDelivList[cnt].deliv_id}-->); return false;">
+                    <td align="center"><a href="?" onclick="eccube.changeAction('./delivery_input.php'); eccube.setModeAndSubmit('pre_edit', 'deliv_id', <!--{$arrDelivList[cnt].deliv_id|h}-->); return false;">
                         編集</a></td>
-                    <td align="center"><a href="?" onclick="eccube.setModeAndSubmit('delete', 'deliv_id', <!--{$arrDelivList[cnt].deliv_id}-->); return false;">
+                    <td align="center"><a href="?" onclick="eccube.setModeAndSubmit('delete', 'deliv_id', <!--{$arrDelivList[cnt].deliv_id|h}-->); return false;">
                         削除</a></td>
                     <td align="center">
                     <!--{if $smarty.section.cnt.iteration != 1}-->
-                    <a href="?" onclick="eccube.setModeAndSubmit('up','deliv_id', '<!--{$arrDelivList[cnt].deliv_id}-->'); return false;">上へ</a>
+                    <a href="?" onclick="eccube.setModeAndSubmit('up','deliv_id', '<!--{$arrDelivList[cnt].deliv_id|h}-->'); return false;">上へ</a>
                     <!--{/if}-->
                     <!--{if $smarty.section.cnt.iteration != $smarty.section.cnt.last}-->
-                    <a href="?" onclick="eccube.setModeAndSubmit('down','deliv_id', '<!--{$arrDelivList[cnt].deliv_id}-->'); return false;">下へ</a>
+                    <a href="?" onclick="eccube.setModeAndSubmit('down','deliv_id', '<!--{$arrDelivList[cnt].deliv_id|h}-->'); return false;">下へ</a>
                     <!--{/if}-->
                     </td>
                 </tr>

diff --git a/data/Smarty/templates/admin/basis/holiday.tpl b/data/Smarty/templates/admin/basis/holiday.tpl
@@ -25,7 +25,7 @@
 <form name="form1" id="form1" method="post" action="?">
     <input type="hidden" name="<!--{$smarty.const.TRANSACTION_ID_NAME}-->" value="<!--{$transactionid}-->" />
     <input type="hidden" name="mode" value="edit" />
-    <input type="hidden" name="holiday_id" value="<!--{$tpl_holiday_id}-->" />
+    <input type="hidden" name="holiday_id" value="<!--{$tpl_holiday_id|h}-->" />
     <div id="basis" class="contents-main">
 
         <table class="form">
@@ -85,7 +85,7 @@
                 <td><!--{$arrHoliday[cnt].month|h}-->月<!--{$arrHoliday[cnt].day|h}-->日</td>
                 <td class="center">
                     <!--{if $tpl_holiday_id != $arrHoliday[cnt].holiday_id}-->
-                    <a href="?" onclick="eccube.setModeAndSubmit('pre_edit', 'holiday_id', <!--{$arrHoliday[cnt].holiday_id}-->); return false;">編集</a>
+                    <a href="?" onclick="eccube.setModeAndSubmit('pre_edit', 'holiday_id', <!--{$arrHoliday[cnt].holiday_id|h}-->); return false;">編集</a>
                     <!--{else}-->
                     編集中
                     <!--{/if}-->
@@ -94,15 +94,15 @@
                     <!--{if $arrClassCatCount[$class_id] > 0}-->
                     -
                     <!--{else}-->
-                    <a href="?" onclick="eccube.setModeAndSubmit('delete', 'holiday_id', <!--{$arrHoliday[cnt].holiday_id}-->); return false;">削除</a>
+                    <a href="?" onclick="eccube.setModeAndSubmit('delete', 'holiday_id', <!--{$arrHoliday[cnt].holiday_id|h}-->); return false;">削除</a>
                     <!--{/if}-->
                 </td>
                 <td class="center">
                     <!--{if $smarty.section.cnt.iteration != 1}-->
-                    <a href="?" onclick="eccube.setModeAndSubmit('up', 'holiday_id', <!--{$arrHoliday[cnt].holiday_id}-->); return false;">上へ</a>
+                    <a href="?" onclick="eccube.setModeAndSubmit('up', 'holiday_id', <!--{$arrHoliday[cnt].holiday_id|h}-->); return false;">上へ</a>
                     <!--{/if}-->
                     <!--{if $smarty.section.cnt.iteration != $smarty.section.cnt.last}-->
-                    <a href="?" onclick="eccube.setModeAndSubmit('down', 'holiday_id', <!--{$arrHoliday[cnt].holiday_id}-->); return false;">下へ</a>
+                    <a href="?" onclick="eccube.setModeAndSubmit('down', 'holiday_id', <!--{$arrHoliday[cnt].holiday_id|h}-->); return false;">下へ</a>
                     <!--{/if}-->
                 </td>
             </tr>

diff --git a/data/Smarty/templates/admin/basis/kiyaku.tpl b/data/Smarty/templates/admin/basis/kiyaku.tpl
@@ -25,7 +25,7 @@
 <form name="form1" id="form1" method="post" action="?">
     <input type="hidden" name="<!--{$smarty.const.TRANSACTION_ID_NAME}-->" value="<!--{$transactionid}-->" />
     <input type="hidden" name="mode" value="edit" />
-    <input type="hidden" name="kiyaku_id" value="<!--{$tpl_kiyaku_id}-->" />
+    <input type="hidden" name="kiyaku_id" value="<!--{$tpl_kiyaku_id|h}-->" />
     <div id="basis" class="contents-main">
         <table class="form">
             <tr>
@@ -69,7 +69,7 @@
                     <td><!--{* 規格名 *}--><!--{$arrKiyaku[cnt].kiyaku_title|h}--></td>
                     <td align="center">
                         <!--{if $tpl_kiyaku_id != $arrKiyaku[cnt].kiyaku_id}-->
-                        <a href="?" onclick="eccube.setModeAndSubmit('pre_edit', 'kiyaku_id', <!--{$arrKiyaku[cnt].kiyaku_id}-->); return false;">編集</a>
+                        <a href="?" onclick="eccube.setModeAndSubmit('pre_edit', 'kiyaku_id', <!--{$arrKiyaku[cnt].kiyaku_id|h}-->); return false;">編集</a>
                         <!--{else}-->
                         編集中
                         <!--{/if}-->
@@ -78,15 +78,15 @@
                         <!--{if $arrClassCatCount[$class_id] > 0}-->
                         -
                         <!--{else}-->
-                        <a href="?" onclick="eccube.setModeAndSubmit('delete', 'kiyaku_id', <!--{$arrKiyaku[cnt].kiyaku_id}-->); return false;">削除</a>
+                        <a href="?" onclick="eccube.setModeAndSubmit('delete', 'kiyaku_id', <!--{$arrKiyaku[cnt].kiyaku_id|h}-->); return false;">削除</a>
                         <!--{/if}-->
                     </td>
                     <td align="center">
                         <!--{if $smarty.section.cnt.iteration != 1}-->
-                        <a href="?" onclick="eccube.setModeAndSubmit('up', 'kiyaku_id', <!--{$arrKiyaku[cnt].kiyaku_id}-->); return false;">上へ</a>
+                        <a href="?" onclick="eccube.setModeAndSubmit('up', 'kiyaku_id', <!--{$arrKiyaku[cnt].kiyaku_id|h}-->); return false;">上へ</a>
                         <!--{/if}-->
                         <!--{if $smarty.section.cnt.iteration != $smarty.section.cnt.last}-->
-                        <a href="?" onclick="eccube.setModeAndSubmit('down', 'kiyaku_id', <!--{$arrKiyaku[cnt].kiyaku_id}-->); return false;">下へ</a>
+                        <a href="?" onclick="eccube.setModeAndSubmit('down', 'kiyaku_id', <!--{$arrKiyaku[cnt].kiyaku_id|h}-->); return false;">下へ</a>
                         <!--{/if}-->
                     </td>
                 </tr>

diff --git a/data/Smarty/templates/admin/basis/payment.tpl b/data/Smarty/templates/admin/basis/payment.tpl
@@ -25,7 +25,7 @@
 <form name="form1" id="form1" method="post" action="?">
     <input type="hidden" name="<!--{$smarty.const.TRANSACTION_ID_NAME}-->" value="<!--{$transactionid}-->" />
     <input type="hidden" name="mode" value="edit" />
-    <input type="hidden" name="payment_id" value="<!--{$tpl_payment_id}-->" />
+    <input type="hidden" name="payment_id" value="<!--{$tpl_payment_id|h}-->" />
     <div id="basis" class="contents-main">
         <div class="btn">
             <ul>
@@ -62,14 +62,14 @@
                 <td class="center">
                     <!--{if $arrPaymentListFree[cnt].rule_max > 0}--><!--{$arrPaymentListFree[cnt].rule_max|n2s|h}--><!--{else}-->0<!--{/if}-->円
                     <!--{if $arrPaymentListFree[cnt].upper_rule > 0}-->～<!--{$arrPaymentListFree[cnt].upper_rule|n2s|h}-->円<!--{elseif $arrPaymentListFree[cnt].upper_rule == "0"}--><!--{else}-->～無制限<!--{/if}--></td>
-                <td class="center"><!--{if $arrPaymentListFree[cnt].fix != 1}--><a href="?" onclick="eccube.changeAction('./payment_input.php'); eccube.setModeAndSubmit('pre_edit', 'payment_id', <!--{$arrPaymentListFree[cnt].payment_id}-->); return false;">編集</a><!--{else}-->-<!--{/if}--></td>
-                <td class="center"><!--{if $arrPaymentListFree[cnt].fix != 1}--><a href="?" onclick="eccube.setModeAndSubmit('delete', 'payment_id', <!--{$arrPaymentListFree[cnt].payment_id}-->); return false;">削除</a><!--{else}-->-<!--{/if}--></td>
+                <td class="center"><!--{if $arrPaymentListFree[cnt].fix != 1}--><a href="?" onclick="eccube.changeAction('./payment_input.php'); eccube.setModeAndSubmit('pre_edit', 'payment_id', <!--{$arrPaymentListFree[cnt].payment_id|h}-->); return false;">編集</a><!--{else}-->-<!--{/if}--></td>
+                <td class="center"><!--{if $arrPaymentListFree[cnt].fix != 1}--><a href="?" onclick="eccube.setModeAndSubmit('delete', 'payment_id', <!--{$arrPaymentListFree[cnt].payment_id|h}-->); return false;">削除</a><!--{else}-->-<!--{/if}--></td>
                 <td class="center">
                 <!--{if $smarty.section.cnt.iteration != 1}-->
-                <a href="?" onclick="eccube.setModeAndSubmit('up','payment_id', <!--{$arrPaymentListFree[cnt].payment_id}-->); return false;">上へ</a>
+                <a href="?" onclick="eccube.setModeAndSubmit('up','payment_id', <!--{$arrPaymentListFree[cnt].payment_id|h}-->); return false;">上へ</a>
                 <!--{/if}-->
                 <!--{if $smarty.section.cnt.iteration != $smarty.section.cnt.last}-->
-                <a href="?" onclick="eccube.setModeAndSubmit('down','payment_id', <!--{$arrPaymentListFree[cnt].payment_id}-->); return false;">下へ</a>
+                <a href="?" onclick="eccube.setModeAndSubmit('down','payment_id', <!--{$arrPaymentListFree[cnt].payment_id|h}-->); return false;">下へ</a>
                 <!--{/if}-->
                 </td>
             </tr>

diff --git a/data/Smarty/templates/admin/basis/tax.tpl b/data/Smarty/templates/admin/basis/tax.tpl
@@ -126,7 +126,7 @@
             </td>
             <td class="center">
             <!--{if $tpl_tax_rule_id != $arrTaxrule[cnt].tax_rule_id}-->
-                <a href="?" onclick="eccube.setModeAndSubmit('pre_edit', 'tax_rule_id', '<!--{$arrTaxrule[cnt].tax_rule_id}-->'); return false;">編集</a>
+                <a href="?" onclick="eccube.setModeAndSubmit('pre_edit', 'tax_rule_id', '<!--{$arrTaxrule[cnt].tax_rule_id|h}-->'); return false;">編集</a>
             <!--{else}-->
                 編集中
             <!--{/if}-->
@@ -135,7 +135,7 @@
             <!--{if $arrTaxrule[cnt].tax_rule_id == 0}-->
                 -
             <!--{else}-->
-                <a href="?" onclick="eccube.setModeAndSubmit('delete', 'tax_rule_id', '<!--{$arrTaxrule[cnt].tax_rule_id}-->'); return false;">削除</a>
+                <a href="?" onclick="eccube.setModeAndSubmit('delete', 'tax_rule_id', '<!--{$arrTaxrule[cnt].tax_rule_id|h}-->'); return false;">削除</a>
             <!--{/if}-->
             </td>
         </tr>

diff --git a/data/Smarty/templates/admin/contents/csv_sql.tpl b/data/Smarty/templates/admin/contents/csv_sql.tpl
@@ -58,8 +58,8 @@ function fnTargetSelf(){
                         </td>
                         <td>
                             <div class="btn">
-                                <a class="btn-normal" href="javascript:;" name='csv' onclick="fnTargetSelf(); eccube.fnFormModeSubmit('form1','csv_output','csv_output_id',<!--{$item.sql_id}-->); return false;"><span>CSV出力</span></a>
-                                <a class="btn-normal" href="javascript:;" name='del' onclick="fnTargetSelf(); eccube.fnFormModeSubmit('form1','delete','sql_id',<!--{$item.sql_id}-->); return false;"><span>削除</span></a>
+                                <a class="btn-normal" href="javascript:;" name='csv' onclick="fnTargetSelf(); eccube.fnFormModeSubmit('form1','csv_output','csv_output_id',<!--{$item.sql_id|h}-->); return false;"><span>CSV出力</span></a>
+                                <a class="btn-normal" href="javascript:;" name='del' onclick="fnTargetSelf(); eccube.fnFormModeSubmit('form1','delete','sql_id',<!--{$item.sql_id|h}-->); return false;"><span>削除</span></a>
                             </div>
                         </td>
                     </tr>

diff --git a/data/Smarty/templates/admin/contents/file_manager.tpl b/data/Smarty/templates/admin/contents/file_manager.tpl
@@ -114,7 +114,7 @@
                         </td>
                         <!--{if $arrFileList[cnt].is_dir}-->
                             <td class="center">
-                                <a href="javascript:;" onclick="eccube.setValue('tree_select_file', '<!--{$arrFileList[cnt].file_path}-->', 'form1'); eccube.fileManager.selectFile('<!--{$id}-->', '#808080');eccube.setModeAndSubmit('move','',''); return false;">表示</a>
+                                <a href="javascript:;" onclick="eccube.setValue('tree_select_file', '<!--{$arrFileList[cnt].file_path}-->', 'form1'); eccube.fileManager.selectFile('<!--{$id|h}-->', '#808080');eccube.setModeAndSubmit('move','',''); return false;">表示</a>
                             </td>
                         <!--{else}-->
                             <td class="center">

diff --git a/data/Smarty/templates/admin/contents/recommend.tpl b/data/Smarty/templates/admin/contents/recommend.tpl
@@ -161,10 +161,10 @@ function lfnSortItem(mode,data,form){
                 <td>
                     <!--{* 移動 *}-->
                     <!--{if $smarty.section.cnt.iteration != 1 && $arrItems[$smarty.section.cnt.iteration].best_id}-->
-                        <a href="?" onclick="lfnSortItem('up',<!--{$arrItems[$smarty.section.cnt.iteration].best_id}-->,'form<!--{$smarty.section.cnt.iteration-1}-->'); return false;">上へ</a><br />&nbsp;
+                        <a href="?" onclick="lfnSortItem('up',<!--{$arrItems[$smarty.section.cnt.iteration].best_id|h}-->,'form<!--{$smarty.section.cnt.iteration-1}-->'); return false;">上へ</a><br />&nbsp;
                     <!--{/if}-->
                     <!--{if $smarty.section.cnt.iteration != $tpl_disp_max && $arrItems[$smarty.section.cnt.iteration].best_id}-->
-                        <a href="?" onclick="lfnSortItem('down',<!--{$arrItems[$smarty.section.cnt.iteration].best_id}-->,'form<!--{$smarty.section.cnt.iteration+1}-->'); return false;">下へ</a>
+                        <a href="?" onclick="lfnSortItem('down',<!--{$arrItems[$smarty.section.cnt.iteration].best_id|h}-->,'form<!--{$smarty.section.cnt.iteration+1}-->'); return false;">下へ</a>
                     <!--{/if}-->
                 </td>
             </tr>

diff --git a/data/Smarty/templates/admin/contents/recommend_search.tpl b/data/Smarty/templates/admin/contents/recommend_search.tpl
@@ -114,7 +114,7 @@ function func_submit( id ){
                 <!--{/if}-->
             </td>
             <td><!--{$arr.name|h}--></td>
-            <td class="center"><a href="" onclick="return func_submit(<!--{$arr.product_id}-->)">決定</a></td>
+            <td class="center"><a href="" onclick="return func_submit(<!--{$arr.product_id|h}-->)">決定</a></td>
         </tr>
         <!--▲商品<!--{$smarty.foreach.loop.iteration}-->-->
         <!--{/foreach}-->

diff --git a/data/Smarty/templates/admin/customer/edit.tpl b/data/Smarty/templates/admin/customer/edit.tpl
@@ -268,7 +268,7 @@
 
         <input type="hidden" name="order_id" value="" />
         <input type="hidden" name="search_pageno" value="<!--{$tpl_pageno}-->" />
-        <input type="hidden" name="edit_customer_id" value="<!--{$edit_customer_id}-->" />
+        <input type="hidden" name="edit_customer_id" value="<!--{$edit_customer_id|h}-->" />
 
         <h2>購入履歴一覧</h2>
         <!--{if $tpl_linemax > 0}-->
@@ -288,7 +288,7 @@
                 <!--{section name=cnt loop=$arrPurchaseHistory}-->
                     <tr>
                         <td><!--{$arrPurchaseHistory[cnt].create_date|sfDispDBDate}--></td>
-                        <td class="center"><a href="../order/edit.php?order_id=<!--{$arrPurchaseHistory[cnt].order_id}-->" ><!--{$arrPurchaseHistory[cnt].order_id}--></a></td>
+                        <td class="center"><a href="../order/edit.php?order_id=<!--{$arrPurchaseHistory[cnt].order_id|h}-->" ><!--{$arrPurchaseHistory[cnt].order_id|h}--></a></td>
                         <td class="center"><!--{$arrPurchaseHistory[cnt].payment_total|n2s}-->円</td>
                         <td class="center"><!--{if $arrPurchaseHistory[cnt].status eq 5}--><!--{$arrPurchaseHistory[cnt].commit_date|sfDispDBDate}--><!--{else}-->未発送<!--{/if}--></td>
                         <!--{assign var=payment_id value="`$arrPurchaseHistory[cnt].payment_id`"}-->