From baba943e623ba5d1f12f579e87d04c6cb65fb061 Mon Sep 17 00:00:00 2001
From: Alexandre Avenel <avenel.alexandre@gmail.com>
Date: Thu, 16 Feb 2017 23:11:30 +0100
Subject: Fix xss (#173)

Fix #173
Rewrite multi select widget as a template in order to have all values properly escaped.
---
 budget/templates/forms.html | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

(limited to 'budget/templates/forms.html')

diff --git a/budget/templates/forms.html b/budget/templates/forms.html
index af24fe2..8698e37 100644
--- a/budget/templates/forms.html
+++ b/budget/templates/forms.html
@@ -85,7 +85,18 @@
     {{ input(form.what, inline=True) }}
     {{ input(form.payer, inline=True, class="form-control custom-select") }}
     {{ input(form.amount, inline=True) }}
-    {{ input(form.payed_for, inline=True, class="form-check-input") }}
+
+    <div class="form-group row">
+        <label class="col-3" for="payed_for">{{ _("For whom?") }}</label>
+        <div class="controls col-9">
+            <ul id="payed_for" class="inputs-list">
+                <p><a href="#" id="selectall" onclick="selectall()">{{ _("Select all") }}</a> | <a href="#" id="selectnone" onclick="selectnone()">{{_("Select none")}}</a></p>
+            {% for key, value, checked in form.payed_for.iter_choices() %}
+                <p class="form-check"><label for="payed_for-{{key}}" class="form-check-label"><input name="payed_for" type="checkbox" {% if checked %}checked{% endif %} class="form-check-input" value="{{key}}"/><span>{{value}}</span></label></p>
+            {% endfor %}
+            </ul>
+        </div>
+    </div>
     </fieldset>
     <div class="actions">
         {{ form.submit(class="btn btn-primary") }}
-- 
cgit v1.1