From 467a31fa3b50b67a5763378fe18f13bec7e5564b Mon Sep 17 00:00:00 2001
From: Sarjuuk <junkdump@gmx.net>
Date: Sat, 19 Dec 2020 00:04:35 +0100
Subject: [PATCH] Template/Escaped Strings  * escape creature subnames in
 DetailPage  * escape creature names & subnames in Tooltips  * js escape
 inherited filter froms

---
 includes/types/creature.class.php    | 4 ++--
 pages/npc.php                        | 2 +-
 template/bricks/pageTemplate.tpl.php | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/includes/types/creature.class.php b/includes/types/creature.class.php
index 05b8deff..c76a8d85 100644
--- a/includes/types/creature.class.php
+++ b/includes/types/creature.class.php
@@ -81,10 +81,10 @@ class CreatureList extends BaseType
             $row3[] = '('.$_.')';
 
         $x  = '<table>';
-        $x .= '<tr><td><b class="q">'.$this->getField('name', true).'</b></td></tr>';
+        $x .= '<tr><td><b class="q">'.Util::htmlEscape($this->getField('name', true)).'</b></td></tr>';
 
         if ($sn = $this->getField('subname', true))
-            $x .= '<tr><td>'.$sn.'</td></tr>';
+            $x .= '<tr><td>'.Util::htmlEscape($sn).'</td></tr>';
 
         $x .= '<tr><td>'.implode(' ', $row3).'</td></tr>';
 
diff --git a/pages/npc.php b/pages/npc.php
index aa343dc0..1267b1a7 100644
--- a/pages/npc.php
+++ b/pages/npc.php
@@ -37,7 +37,7 @@ class NpcPage extends GenericPage
             $this->notFound(Lang::game('npc'), Lang::npc('notFound'));
 
         $this->name    = Util::htmlEscape($this->subject->getField('name', true));
-        $this->subname = $this->subject->getField('subname', true);
+        $this->subname = Util::htmlEscape($this->subject->getField('subname', true));
     }
 
     protected function generatePath()
diff --git a/template/bricks/pageTemplate.tpl.php b/template/bricks/pageTemplate.tpl.php
index 308edfe5..3a48fc73 100644
--- a/template/bricks/pageTemplate.tpl.php
+++ b/template/bricks/pageTemplate.tpl.php
@@ -25,7 +25,7 @@ if (!empty($this->pageTemplate)):
 endif;
 
 if (!empty($fi)):
-    echo "                Menu.modifyUrl(Menu.findItem(mn_database, [".$fi['menuItem']."]), { filter: '+=".$fi['query']."' }, { onAppendCollision: fi_mergeFilterParams, onAppendEmpty: fi_setFilterParams, menuUrl: Menu.getItemUrl(Menu.findItem(mn_database, [".$fi['menuItem']."])) });\n";
+    echo "                Menu.modifyUrl(Menu.findItem(mn_database, [".$fi['menuItem']."]), { filter: '+=".Util::jsEscape($fi['query'])."' }, { onAppendCollision: fi_mergeFilterParams, onAppendEmpty: fi_setFilterParams, menuUrl: Menu.getItemUrl(Menu.findItem(mn_database, [".$fi['menuItem']."])) });\n";
         // $(document).ready(function(){ Menu.modifyUrl(Menu.findItem(mn_path, [1,5]), { filter: 'na=Malgayne'}, { onAppendCollision: fi_mergeFilterParams }) });
 endif;
 ?>