From baba943e623ba5d1f12f579e87d04c6cb65fb061 Mon Sep 17 00:00:00 2001
From: Alexandre Avenel <avenel.alexandre@gmail.com>
Date: Thu, 16 Feb 2017 23:11:30 +0100
Subject: Fix xss (#173)

Fix #173
Rewrite multi select widget as a template in order to have all values properly escaped.
---
 budget/templates/forms.html      | 13 ++++++++++++-
 budget/templates/list_bills.html |  2 +-
 2 files changed, 13 insertions(+), 2 deletions(-)

(limited to 'budget/templates')

diff --git a/budget/templates/forms.html b/budget/templates/forms.html
index af24fe2..8698e37 100644
--- a/budget/templates/forms.html
+++ b/budget/templates/forms.html
@@ -85,7 +85,18 @@
     {{ input(form.what, inline=True) }}
     {{ input(form.payer, inline=True, class="form-control custom-select") }}
     {{ input(form.amount, inline=True) }}
-    {{ input(form.payed_for, inline=True, class="form-check-input") }}
+
+    <div class="form-group row">
+        <label class="col-3" for="payed_for">{{ _("For whom?") }}</label>
+        <div class="controls col-9">
+            <ul id="payed_for" class="inputs-list">
+                <p><a href="#" id="selectall" onclick="selectall()">{{ _("Select all") }}</a> | <a href="#" id="selectnone" onclick="selectnone()">{{_("Select none")}}</a></p>
+            {% for key, value, checked in form.payed_for.iter_choices() %}
+                <p class="form-check"><label for="payed_for-{{key}}" class="form-check-label"><input name="payed_for" type="checkbox" {% if checked %}checked{% endif %} class="form-check-input" value="{{key}}"/><span>{{value}}</span></label></p>
+            {% endfor %}
+            </ul>
+        </div>
+    </div>
     </fieldset>
     <div class="actions">
         {{ form.submit(class="btn btn-primary") }}
diff --git a/budget/templates/list_bills.html b/budget/templates/list_bills.html
index 9421650..a9af4de 100644
--- a/budget/templates/list_bills.html
+++ b/budget/templates/list_bills.html
@@ -107,7 +107,7 @@
         <thead><tr><th>{{ _("When?") }}</th><th>{{ _("Who paid?") }}</th><th>{{ _("For what?") }}</th><th>{{ _("For whom?") }}</th><th>{{ _("How much?") }}</th><th>{{ _("Actions") }}</th></tr></thead>
     <tbody>
     {% for bill in bills %}
-    <tr owers={{bill.owers|join(',','id')}} payer={{bill.payer.id}}>
+    <tr owers="{{bill.owers|join(',','id')}}" payer="{{bill.payer.id}}">
             <td>{{ bill.date }}</td>
             <td>{{ bill.payer }}</td>
             <td>{{ bill.what }}</td>
-- 
cgit v1.1