diff options
| author | Alexandre Avenel <avenel.alexandre@gmail.com> | 2017-02-16 23:11:30 +0100 |
|---|---|---|
| committer | Alexandre Avenel <avenel.alexandre@gmail.com> | 2017-02-16 23:11:30 +0100 |
| commit | baba943e623ba5d1f12f579e87d04c6cb65fb061 (patch) | |
| tree | 2552c94d2bbee2ae3bb8327e548bc68feb4f1660 /budget/templates | |
| parent | 3dd7c67ecf5e2c5d21ec387bbd82e0fa3b90ad5b (diff) | |
| download | ihatemoney-mirror-baba943e623ba5d1f12f579e87d04c6cb65fb061.zip ihatemoney-mirror-baba943e623ba5d1f12f579e87d04c6cb65fb061.tar.gz ihatemoney-mirror-baba943e623ba5d1f12f579e87d04c6cb65fb061.tar.bz2 | |
Fix xss (#173)
Fix #173
Rewrite multi select widget as a template in order to have all values properly escaped.
Diffstat (limited to 'budget/templates')
| -rw-r--r-- | budget/templates/forms.html | 13 | ||||
| -rw-r--r-- | budget/templates/list_bills.html | 2 |
2 files changed, 13 insertions, 2 deletions
diff --git a/budget/templates/forms.html b/budget/templates/forms.html index af24fe2..8698e37 100644 --- a/budget/templates/forms.html +++ b/budget/templates/forms.html @@ -85,7 +85,18 @@ {{ input(form.what, inline=True) }} {{ input(form.payer, inline=True, class="form-control custom-select") }} {{ input(form.amount, inline=True) }} - {{ input(form.payed_for, inline=True, class="form-check-input") }} + + <div class="form-group row"> + <label class="col-3" for="payed_for">{{ _("For whom?") }}</label> + <div class="controls col-9"> + <ul id="payed_for" class="inputs-list"> + <p><a href="#" id="selectall" onclick="selectall()">{{ _("Select all") }}</a> | <a href="#" id="selectnone" onclick="selectnone()">{{_("Select none")}}</a></p> + {% for key, value, checked in form.payed_for.iter_choices() %} + <p class="form-check"><label for="payed_for-{{key}}" class="form-check-label"><input name="payed_for" type="checkbox" {% if checked %}checked{% endif %} class="form-check-input" value="{{key}}"/><span>{{value}}</span></label></p> + {% endfor %} + </ul> + </div> + </div> </fieldset> <div class="actions"> {{ form.submit(class="btn btn-primary") }} diff --git a/budget/templates/list_bills.html b/budget/templates/list_bills.html index 9421650..a9af4de 100644 --- a/budget/templates/list_bills.html +++ b/budget/templates/list_bills.html @@ -107,7 +107,7 @@ <thead><tr><th>{{ _("When?") }}</th><th>{{ _("Who paid?") }}</th><th>{{ _("For what?") }}</th><th>{{ _("For whom?") }}</th><th>{{ _("How much?") }}</th><th>{{ _("Actions") }}</th></tr></thead> <tbody> {% for bill in bills %} - <tr owers={{bill.owers|join(',','id')}} payer={{bill.payer.id}}> + <tr owers="{{bill.owers|join(',','id')}}" payer="{{bill.payer.id}}"> <td>{{ bill.date }}</td> <td>{{ bill.payer }}</td> <td>{{ bill.what }}</td> |