Fixed Attributes are not always filtered

[Kirby]

Affected version

2.0.9

1. In \XF\Template\Templater::fnShowIgnored():
   

   . ' title="' . \XF::phrase('show_hidden_content_by_x', ['names' => '{{names}}']) . '"'

   should be
   

   . ' title="' . $this->filterForAttr($this, \XF::phrase('show_hidden_content_by_x', ['names' => '{{names}}']), $null) . '"'

2. In \XF\Template\Templater::getDataRowCell():
   

   $tooltip = \XF::phrase('delete');

   should be
   

   $tooltip = $this->filterForAttr($this, \XF::phrase('delete'), $null);

 

[Kirby]

Another one in \XF\Template\Templater::formEditor()

'title' => \XF::phrase('custom_bb_code_title.' . $k),

 

[Kirby]

And a bunch of templates

admin:PAGE_CONTAINER

aria-label="{{ phrase('menu') }}">
<a href="{{ link('index') }}" class="p-header-button" aria-label="{{ phrase('home') }}">
<a class="p-header-button" data-xf-key="{{ phrase('shortcut.search_menu') }}"
<a class="offCanvasMenu-closer" data-menu-close="true" role="button" tabindex="0" aria-label="{{ phrase('close') }}">
<a class="p-nav-sectionToggle js-navSectionToggle" role="button" tabindex="0" aria-label="{{ phrase('toggle_expanded') }}">

admin:addon_list_macros

<input type="text" class="input js-filterInput" placeholder="{{ phrase('filter...') }}"

admin:admin_navigation_sort

<div class="nestable-handle" aria-label="{{ phrase('drag_handle') }}">

admin:category_tree_macros

<div class="nestable-handle" aria-label="{{ phrase('drag_handle') }}">

admin:filter_macros

<input type="text" class="input js-filterInput" placeholder="{{ phrase('filter...') }}"

admin:navigation_sort

<div class="nestable-handle" aria-label="{{ phrase('drag_handle') }}">

admin:node_sort

<div class="nestable-handle" aria-label="{{ phrase('drag_handle') }}">

admin:permission_macros

<input type="text" class="input js-permissionFilterInput" placeholder="{{ phrase('filter...') }}"

admin:smilie_sort

<div class="nestable-handle nestable-handle--full" aria-label="{{ phrase('drag_handle') }}">

public:PAGE_CONTAINER

aria-label="{{ phrase('search_within') }}">
<input class="input" name="c[users]" data-xf-init="auto-complete" placeholder="{{ phrase('member') }}"
<a class="offCanvasMenu-closer" data-menu-close="true" role="button" tabindex="0" aria-label="{{ phrase('close') }}">

public:lightbox_macros

<div class="lbContainer-zoomer js-lbImage-{$id}" data-src="{$src}" aria-label="{{ phrase('zoom') }}">

public:multi_quote_macros

<div class="nestable-handle" aria-label="{{ phrase('drag_handle') }}">

public:page_nav

data-xf-init="tooltip" title="{{ phrase('last') }}">

 

[Xon]

This regex mostly finds raw html which uses phrases without the for_attr filter;

<(?!xf\:).*?=["']\{\{\s*phrase\(.*?\)(?!\|for_attr)\s*\}\}[^>]*>

Some false positives when dealing with multi-line stuff, and nested tags

 

[Chris D]

Another one in \XF\Template\Templater::formEditor()

'title' => \XF::phrase('custom_bb_code_title.' . $k),

That's not actually used in an attribute, and rendered as JSON so the appropriate escaping should happen there.

And a bunch of templates

admin:PAGE_CONTAINER

aria-label="{{ phrase('menu') }}">
<a href="{{ link('index') }}" class="p-header-button" aria-label="{{ phrase('home') }}">
<a class="p-header-button" data-xf-key="{{ phrase('shortcut.search_menu') }}"
<a class="offCanvasMenu-closer" data-menu-close="true" role="button" tabindex="0" aria-label="{{ phrase('close') }}">
<a class="p-nav-sectionToggle js-navSectionToggle" role="button" tabindex="0" aria-label="{{ phrase('toggle_expanded') }}">

admin:addon_list_macros

<input type="text" class="input js-filterInput" placeholder="{{ phrase('filter...') }}"

admin:admin_navigation_sort

<div class="nestable-handle" aria-label="{{ phrase('drag_handle') }}">

admin:category_tree_macros

<div class="nestable-handle" aria-label="{{ phrase('drag_handle') }}">

admin:filter_macros

<input type="text" class="input js-filterInput" placeholder="{{ phrase('filter...') }}"

admin:navigation_sort

<div class="nestable-handle" aria-label="{{ phrase('drag_handle') }}">

admin:node_sort

<div class="nestable-handle" aria-label="{{ phrase('drag_handle') }}">

admin:permission_macros

<input type="text" class="input js-permissionFilterInput" placeholder="{{ phrase('filter...') }}"

admin:smilie_sort

<div class="nestable-handle nestable-handle--full" aria-label="{{ phrase('drag_handle') }}">

public:PAGE_CONTAINER

aria-label="{{ phrase('search_within') }}">
<input class="input" name="c[users]" data-xf-init="auto-complete" placeholder="{{ phrase('member') }}"
<a class="offCanvasMenu-closer" data-menu-close="true" role="button" tabindex="0" aria-label="{{ phrase('close') }}">

public:lightbox_macros

<div class="lbContainer-zoomer js-lbImage-{$id}" data-src="{$src}" aria-label="{{ phrase('zoom') }}">

public:multi_quote_macros

<div class="nestable-handle" aria-label="{{ phrase('drag_handle') }}">

public:page_nav

data-xf-init="tooltip" title="{{ phrase('last') }}">

This regex mostly finds raw html which uses phrases without the for_attr filter;

<(?!xf\:).*?=["']\{\{\s*phrase\(.*?\)(?!\|for_attr)\s*\}\}[^>]*>

Some false positives when dealing with multi-line stuff, and nested tags

Mostly all sorted, I think, thanks.

 

[Kirby]

Just in case this was missed (was not listed before and not grabbed by regex):

public:PAGE_CONTAINER

title="{{ $xf.session.reportCounts.lastBuilt ? phrase('last_report_update:') . ' ' . date_time($xf.session.reportCounts.lastBuilt) : '' }}">

 

[Kirby]

@Chris D

I am not sure if it would be preferred to open a new bug report or to "re-open" this one so I'll first post here:

This issue does not seem to be fully fixed, if I put HTML into phrase delete and afterwards access the language list the display is garbled.

As mentioned in the first post, this is caused by \XF\Template\Templater::getDataRowCell() not escaping the phrase when used for the title attribute.

\XF\Template\Templater::fnDisplayTotals seems to be affected as well for phrase there_are_x_items_in_total

 

[Mike]

It's probably best to do separate bugs for each instance as they can be more easily tracked that way.