Merge pull request #2492 from mastihios/patch-input-html-escape
Change <input value="..."> encoding to HTML.escape
This commit is contained in:
		| @@ -72,7 +72,7 @@ | |||||||
|                 <input type="hidden" name="expire" value="<%= expire %>"> |                 <input type="hidden" name="expire" value="<%= expire %>"> | ||||||
|             <% end %> |             <% end %> | ||||||
|  |  | ||||||
|             <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(csrf_token) %>"> |             <input type="hidden" name="csrf_token" value="<%= HTML.escape(csrf_token) %>"> | ||||||
|         </form> |         </form> | ||||||
|     </div> |     </div> | ||||||
| <% end %> | <% end %> | ||||||
|   | |||||||
| @@ -23,7 +23,7 @@ | |||||||
|                         <%= translate(locale, "Change password") %> |                         <%= translate(locale, "Change password") %> | ||||||
|                     </button> |                     </button> | ||||||
|  |  | ||||||
|                     <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(csrf_token) %>"> |                     <input type="hidden" name="csrf_token" value="<%= HTML.escape(csrf_token) %>"> | ||||||
|                 </fieldset> |                 </fieldset> | ||||||
|             </form> |             </form> | ||||||
|         </div> |         </div> | ||||||
|   | |||||||
| @@ -19,6 +19,6 @@ | |||||||
|             </div> |             </div> | ||||||
|         </div> |         </div> | ||||||
|  |  | ||||||
|         <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(csrf_token) %>"> |         <input type="hidden" name="csrf_token" value="<%= HTML.escape(csrf_token) %>"> | ||||||
|     </form> |     </form> | ||||||
| </div> | </div> | ||||||
|   | |||||||
| @@ -54,7 +54,7 @@ | |||||||
|                         <img loading="lazy" class="thumbnail" src="/vi/<%= item.id %>/mqdefault.jpg"/> |                         <img loading="lazy" class="thumbnail" src="/vi/<%= item.id %>/mqdefault.jpg"/> | ||||||
|                         <% if plid = env.get?("remove_playlist_items") %> |                         <% if plid = env.get?("remove_playlist_items") %> | ||||||
|                             <form data-onsubmit="return_false" action="/playlist_ajax?action_remove_video=1&set_video_id=<%= item.index %>&playlist_id=<%= plid %>&referer=<%= env.get("current_page") %>" method="post"> |                             <form data-onsubmit="return_false" action="/playlist_ajax?action_remove_video=1&set_video_id=<%= item.index %>&playlist_id=<%= plid %>&referer=<%= env.get("current_page") %>" method="post"> | ||||||
|                                 <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>"> |                                 <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>"> | ||||||
|                                 <p class="watched"> |                                 <p class="watched"> | ||||||
|                                     <a data-onclick="remove_playlist_item" data-index="<%= item.index %>" data-plid="<%= plid %>" href="javascript:void(0)"> |                                     <a data-onclick="remove_playlist_item" data-index="<%= item.index %>" data-plid="<%= plid %>" href="javascript:void(0)"> | ||||||
|                                         <button type="submit" style="all:unset"> |                                         <button type="submit" style="all:unset"> | ||||||
| @@ -106,7 +106,7 @@ | |||||||
|                         <img loading="lazy" class="thumbnail" src="/vi/<%= item.id %>/mqdefault.jpg"/> |                         <img loading="lazy" class="thumbnail" src="/vi/<%= item.id %>/mqdefault.jpg"/> | ||||||
|                         <% if env.get? "show_watched" %> |                         <% if env.get? "show_watched" %> | ||||||
|                             <form data-onsubmit="return_false" action="/watch_ajax?action_mark_watched=1&id=<%= item.id %>&referer=<%= env.get("current_page") %>" method="post"> |                             <form data-onsubmit="return_false" action="/watch_ajax?action_mark_watched=1&id=<%= item.id %>&referer=<%= env.get("current_page") %>" method="post"> | ||||||
|                                 <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>"> |                                 <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>"> | ||||||
|                                 <p class="watched"> |                                 <p class="watched"> | ||||||
|                                     <a data-onclick="mark_watched" data-id="<%= item.id %>" href="javascript:void(0)"> |                                     <a data-onclick="mark_watched" data-id="<%= item.id %>" href="javascript:void(0)"> | ||||||
|                                         <button type="submit" style="all:unset"> |                                         <button type="submit" style="all:unset"> | ||||||
| @@ -119,7 +119,7 @@ | |||||||
|                             </form> |                             </form> | ||||||
|                         <% elsif plid = env.get? "add_playlist_items" %> |                         <% elsif plid = env.get? "add_playlist_items" %> | ||||||
|                             <form data-onsubmit="return_false" action="/playlist_ajax?action_add_video=1&video_id=<%= item.id %>&playlist_id=<%= plid %>&referer=<%= env.get("current_page") %>" method="post"> |                             <form data-onsubmit="return_false" action="/playlist_ajax?action_add_video=1&video_id=<%= item.id %>&playlist_id=<%= plid %>&referer=<%= env.get("current_page") %>" method="post"> | ||||||
|                                 <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>"> |                                 <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>"> | ||||||
|                                 <p class="watched"> |                                 <p class="watched"> | ||||||
|                                     <a data-onclick="add_playlist_item" data-id="<%= item.id %>" data-plid="<%= plid %>" href="javascript:void(0)"> |                                     <a data-onclick="add_playlist_item" data-id="<%= item.id %>" data-plid="<%= plid %>" href="javascript:void(0)"> | ||||||
|                                         <button type="submit" style="all:unset"> |                                         <button type="submit" style="all:unset"> | ||||||
|   | |||||||
| @@ -2,7 +2,7 @@ | |||||||
|     <% if subscriptions.includes? ucid %> |     <% if subscriptions.includes? ucid %> | ||||||
|         <p> |         <p> | ||||||
|             <form action="/subscription_ajax?action_remove_subscriptions=1&c=<%= ucid %>&referer=<%= env.get("current_page") %>" method="post"> |             <form action="/subscription_ajax?action_remove_subscriptions=1&c=<%= ucid %>&referer=<%= env.get("current_page") %>" method="post"> | ||||||
|                 <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>"> |                 <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>"> | ||||||
|                 <button data-type="unsubscribe" id="subscribe" class="pure-button pure-button-primary"> |                 <button data-type="unsubscribe" id="subscribe" class="pure-button pure-button-primary"> | ||||||
|                     <b><input style="all:unset" type="submit" value="<%= translate(locale, "Unsubscribe") %> | <%= sub_count_text %>"></b> |                     <b><input style="all:unset" type="submit" value="<%= translate(locale, "Unsubscribe") %> | <%= sub_count_text %>"></b> | ||||||
|                 </button> |                 </button> | ||||||
| @@ -11,7 +11,7 @@ | |||||||
|     <% else %> |     <% else %> | ||||||
|         <p> |         <p> | ||||||
|             <form action="/subscription_ajax?action_create_subscription_to_channel=1&c=<%= ucid %>&referer=<%= env.get("current_page") %>" method="post"> |             <form action="/subscription_ajax?action_create_subscription_to_channel=1&c=<%= ucid %>&referer=<%= env.get("current_page") %>" method="post"> | ||||||
|                 <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>"> |                 <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>"> | ||||||
|                 <button data-type="subscribe" id="subscribe" class="pure-button pure-button-primary"> |                 <button data-type="subscribe" id="subscribe" class="pure-button pure-button-primary"> | ||||||
|                     <b><input style="all:unset" type="submit" value="<%= translate(locale, "Subscribe") %> | <%= sub_count_text %>"></b> |                     <b><input style="all:unset" type="submit" value="<%= translate(locale, "Subscribe") %> | <%= sub_count_text %>"></b> | ||||||
|                 </button> |                 </button> | ||||||
|   | |||||||
| @@ -30,7 +30,7 @@ | |||||||
|                         </button> |                         </button> | ||||||
|                     </div> |                     </div> | ||||||
|  |  | ||||||
|                     <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(csrf_token) %>"> |                     <input type="hidden" name="csrf_token" value="<%= HTML.escape(csrf_token) %>"> | ||||||
|                 </fieldset> |                 </fieldset> | ||||||
|             </form> |             </form> | ||||||
|         </div> |         </div> | ||||||
|   | |||||||
| @@ -19,6 +19,6 @@ | |||||||
|             </div> |             </div> | ||||||
|         </div> |         </div> | ||||||
|  |  | ||||||
|         <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(csrf_token) %>"> |         <input type="hidden" name="csrf_token" value="<%= HTML.escape(csrf_token) %>"> | ||||||
|     </form> |     </form> | ||||||
| </div> | </div> | ||||||
|   | |||||||
| @@ -19,6 +19,6 @@ | |||||||
|             </div> |             </div> | ||||||
|         </div> |         </div> | ||||||
|  |  | ||||||
|         <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(csrf_token) %>"> |         <input type="hidden" name="csrf_token" value="<%= HTML.escape(csrf_token) %>"> | ||||||
|     </form> |     </form> | ||||||
| </div> | </div> | ||||||
|   | |||||||
| @@ -41,7 +41,7 @@ | |||||||
|     <div class="h-box"> |     <div class="h-box"> | ||||||
|         <textarea maxlength="5000" name="description" style="margin-top:10px;max-width:100%;height:20vh" class="pure-input-1"><%= playlist.description %></textarea> |         <textarea maxlength="5000" name="description" style="margin-top:10px;max-width:100%;height:20vh" class="pure-input-1"><%= playlist.description %></textarea> | ||||||
|     </div> |     </div> | ||||||
|     <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(csrf_token) %>"> |     <input type="hidden" name="csrf_token" value="<%= HTML.escape(csrf_token) %>"> | ||||||
| </form> | </form> | ||||||
|  |  | ||||||
| <% if playlist.is_a?(InvidiousPlaylist) && playlist.author == user.try &.email %> | <% if playlist.is_a?(InvidiousPlaylist) && playlist.author == user.try &.email %> | ||||||
|   | |||||||
| @@ -66,7 +66,7 @@ | |||||||
|                                 <% captcha = captcha.not_nil! %> |                                 <% captcha = captcha.not_nil! %> | ||||||
|                                 <img style="width:50%" src='<%= captcha[:question] %>'/> |                                 <img style="width:50%" src='<%= captcha[:question] %>'/> | ||||||
|                                 <% captcha[:tokens].each_with_index do |token, i| %> |                                 <% captcha[:tokens].each_with_index do |token, i| %> | ||||||
|                                     <input type="hidden" name="token[<%= i %>]" value="<%= URI.encode_www_form(token) %>"> |                                     <input type="hidden" name="token[<%= i %>]" value="<%= HTML.escape(token) %>"> | ||||||
|                                 <% end %> |                                 <% end %> | ||||||
|                                 <input type="hidden" name="captcha_type" value="image"> |                                 <input type="hidden" name="captcha_type" value="image"> | ||||||
|                                 <label for="answer"><%= translate(locale, "Time (h:mm:ss):") %></label> |                                 <label for="answer"><%= translate(locale, "Time (h:mm:ss):") %></label> | ||||||
| @@ -74,7 +74,7 @@ | |||||||
|                             <% else # "text" %> |                             <% else # "text" %> | ||||||
|                                 <% captcha = captcha.not_nil! %> |                                 <% captcha = captcha.not_nil! %> | ||||||
|                                 <% captcha[:tokens].each_with_index do |token, i| %> |                                 <% captcha[:tokens].each_with_index do |token, i| %> | ||||||
|                                     <input type="hidden" name="token[<%= i %>]" value="<%= URI.encode_www_form(token) %>"> |                                     <input type="hidden" name="token[<%= i %>]" value="<%= HTML.escape(token) %>"> | ||||||
|                                 <% end %> |                                 <% end %> | ||||||
|                                 <input type="hidden" name="captcha_type" value="text"> |                                 <input type="hidden" name="captcha_type" value="text"> | ||||||
|                                 <label for="answer"><%= captcha[:question] %></label> |                                 <label for="answer"><%= captcha[:question] %></label> | ||||||
|   | |||||||
| @@ -38,7 +38,7 @@ | |||||||
|             <div class="pure-u-1-5" style="text-align:right"> |             <div class="pure-u-1-5" style="text-align:right"> | ||||||
|                 <h3 style="padding-right:0.5em"> |                 <h3 style="padding-right:0.5em"> | ||||||
|                     <form data-onsubmit="return_false" action="/subscription_ajax?action_remove_subscriptions=1&c=<%= channel.id %>&referer=<%= env.get("current_page") %>" method="post"> |                     <form data-onsubmit="return_false" action="/subscription_ajax?action_remove_subscriptions=1&c=<%= channel.id %>&referer=<%= env.get("current_page") %>" method="post"> | ||||||
|                         <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>"> |                         <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>"> | ||||||
|                         <a data-onclick="remove_subscription" data-ucid="<%= channel.id %>" href="#"> |                         <a data-onclick="remove_subscription" data-ucid="<%= channel.id %>" href="#"> | ||||||
|                             <input style="all:unset" type="submit" value="<%= translate(locale, "unsubscribe") %>"> |                             <input style="all:unset" type="submit" value="<%= translate(locale, "unsubscribe") %>"> | ||||||
|                         </a> |                         </a> | ||||||
|   | |||||||
| @@ -72,7 +72,7 @@ | |||||||
|                         <% end %> |                         <% end %> | ||||||
|                         <div class="pure-u-1-4"> |                         <div class="pure-u-1-4"> | ||||||
|                             <form action="/signout?referer=<%= env.get?("current_page") %>" method="post"> |                             <form action="/signout?referer=<%= env.get?("current_page") %>" method="post"> | ||||||
|                                 <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>"> |                                 <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>"> | ||||||
|                                 <a class="pure-menu-heading" href="#"> |                                 <a class="pure-menu-heading" href="#"> | ||||||
|                                     <input style="all:unset" type="submit" value="<%= translate(locale, "Log out") %>"> |                                     <input style="all:unset" type="submit" value="<%= translate(locale, "Log out") %>"> | ||||||
|                                 </a> |                                 </a> | ||||||
|   | |||||||
| @@ -30,7 +30,7 @@ | |||||||
|         <div class="pure-u-1-5" style="text-align:right"> |         <div class="pure-u-1-5" style="text-align:right"> | ||||||
|             <h3 style="padding-right:0.5em"> |             <h3 style="padding-right:0.5em"> | ||||||
|                 <form data-onsubmit="return_false" action="/token_ajax?action_revoke_token=1&session=<%= token[:session] %>&referer=<%= env.get("current_page") %>" method="post"> |                 <form data-onsubmit="return_false" action="/token_ajax?action_revoke_token=1&session=<%= token[:session] %>&referer=<%= env.get("current_page") %>" method="post"> | ||||||
|                     <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>"> |                     <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>"> | ||||||
|                     <a data-onclick="revoke_token" data-session="<%= token[:session] %>" href="#"> |                     <a data-onclick="revoke_token" data-session="<%= token[:session] %>" href="#"> | ||||||
|                         <input style="all:unset" type="submit" value="<%= translate(locale, "revoke") %>"> |                         <input style="all:unset" type="submit" value="<%= translate(locale, "revoke") %>"> | ||||||
|                     </a> |                     </a> | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Samantaz Fox
					Samantaz Fox