Escape all IDs in HTML.

diff --git a/src/main/resources/templates/include/head.html b/src/main/resources/templates/include/head.html
index b1d01bc..c198fc4 100644 (file)
--- a/src/main/resources/templates/include/head.html
+++ b/src/main/resources/templates/include/head.html
@@ -13,7 +13,7 @@
 
                <div id="profile" class="<%ifnull currentSone>offline<%else>online<%/if>">
                        <div class="picture"></div>
-                       <div class="nice-name profile-link"><a href="viewSone.html?sone=<% currentSone.id>"><% currentSone.niceName|html></a></div>
+                       <div class="nice-name profile-link"><a href="viewSone.html?sone=<% currentSone.id|html>"><% currentSone.niceName|html></a></div>
                        <div class="edit-profile-link"><a href="editProfile.html"><%= View.Head.ProfileLink.Text|l10n|html></a></div>
                        <%ifnull ! currentSone>
                                <%include include/updateStatus.html>

diff --git a/src/main/resources/templates/include/viewPost.html b/src/main/resources/templates/include/viewPost.html
index 7c0eb19..adeb92a 100644 (file)
--- a/src/main/resources/templates/include/viewPost.html
+++ b/src/main/resources/templates/include/viewPost.html
@@ -1,29 +1,29 @@
-<div id="<% post.id>" class="post">
+<div id="<% post.id|html>" class="post">
        <div>
-               <div class="author profile-link"><a href="viewSone.html?sone=<% post.sone.id>"><% post.sone.niceName|html></a></div>
+               <div class="author profile-link"><a href="viewSone.html?sone=<% post.sone.id|html>"><% post.sone.niceName|html></a></div>
                <div class="text"><% post.text|html></div>
        </div>
        <div class="status-line">
-               <div class="time"><a href="viewPost.html?post=<% post.id>"><% post.time|date format="MMM d, yyyy, HH:mm:ss"></a></div>
-               <%if post.sone.current><div class="delete"><a href="deletePost.html?post=<% post.id>"><%= View.Post.DeleteLink|l10n|html></a></div><%/if>
+               <div class="time"><a href="viewPost.html?post=<% post.id|html>"><% post.time|date format="MMM d, yyyy, HH:mm:ss"></a></div>
+               <%if post.sone.current><div class="delete"><a href="deletePost.html?post=<% post.id|html>"><%= View.Post.DeleteLink|l10n|html></a></div><%/if>
        </div>
        <div class="replies">
                <%foreach post.replies reply>
                        <div class="reply">
                                <div>
-                                       <div class="author profile-link"><a href="viewSone.html?sone=<% reply.sone.id>"><% reply.sone.niceName|html></a></div>
+                                       <div class="author profile-link"><a href="viewSone.html?sone=<% reply.sone.id|html>"><% reply.sone.niceName|html></a></div>
                                        <div class="text"><% reply.text|html></div>
                                </div>
                                <div class="status-line">
                                        <div class="time"><% reply.time|date format="MMM d, yyyy, HH:mm:ss"></div>
-                                       <%if reply.sone.current><div class="delete"><a href="deleteReply.html?reply=<% reply.id>"><%= View.Post.Reply.DeleteLink|l10n|html></a></div><%/if>
+                                       <%if reply.sone.current><div class="delete"><a href="deleteReply.html?reply=<% reply.id|html>"><%= View.Post.Reply.DeleteLink|l10n|html></a></div><%/if>
                                </div>
                        </div>
                <%/foreach>
                <div class="create-reply">
                        <form method="post" action="createReply.html">
                                <input type="hidden" name="formPassword" value="<% formPassword|html>" />
-                               <input type="hidden" name="post" value="<% post.id>" />
+                               <input type="hidden" name="post" value="<% post.id|html>" />
                                <input type="text" class="reply-input" name="text" value="" />
                                <button type="submit"><%= View.Post.SendReply|l10n|html></button>
                        </form>

diff --git a/src/main/resources/templates/include/viewSone.html b/src/main/resources/templates/include/viewSone.html
index dbcfa4d..7d3dd24 100644 (file)
--- a/src/main/resources/templates/include/viewSone.html
+++ b/src/main/resources/templates/include/viewSone.html
@@ -5,33 +5,33 @@
        <div class="insert-marker" title="<%= View.Sone.Status.Inserting|l10n|html>">⬈</div>
        <div class="idle-marker" title="<%= View.Sone.Status.Idle|l10n|html>">✔</div>
        <div class="last-update"><%= View.Sone.Label.LastUpdate|l10n|html> <% sone.time|date format="MMM d, yyyy, HH:mm:ss"></div>
-       <div class="profile-link"><a href="viewSone.html?sone=<% sone.id>" title="<% sone.requestUri|html>"><% sone.niceName|html></a></div>
+       <div class="profile-link"><a href="viewSone.html?sone=<% sone.id|html>" title="<% sone.requestUri|html>"><% sone.niceName|html></a></div>
        <div class="short-request-uri"><% sone.requestUri|substring start=4 length=43|html></div>
        <%ifnull ! currentSone>
                <%if ! sone.current>
                        <%if sone.friend>
                                <form class="unfollow" action="unfollowSone.html" method="post">
                                        <input type="hidden" name="formPassword" value="<% formPassword|html>" />
-                                       <input type="hidden" name="sone" value="<% sone.id>" />
+                                       <input type="hidden" name="sone" value="<% sone.id|html>" />
                                        <button type="submit"><%= View.Sone.Button.UnfollowSone|l10n|html></button>
                                </form>
                        <%else>
                                <form class="follow" action="followSone.html" method="post">
                                        <input type="hidden" name="formPassword" value="<% formPassword|html>" />
-                                       <input type="hidden" name="sone" value="<% sone.id>" />
+                                       <input type="hidden" name="sone" value="<% sone.id|html>" />
                                        <button type="submit"><%= View.Sone.Button.FollowSone|l10n|html></button>
                                </form>
                        <%/if>
                        <%if sone.blocked>
                                <form class="unblock" action="unblockSone.html" method="post">
                                        <input type="hidden" name="formPassword" value="<% formPassword|html>" />
-                                       <input type="hidden" name="sone" value="<% sone.id>" />
+                                       <input type="hidden" name="sone" value="<% sone.id|html>" />
                                        <button type="submit"><%= View.Sone.Button.UnblockSone|l10n|html></button>
                                </form>
                        <%else>
                                <form class="block" action="blockSone.html" method="post">
                                        <input type="hidden" name="formPassword" value="<% formPassword|html>" />
-                                       <input type="hidden" name="sone" value="<% sone.id>" />
+                                       <input type="hidden" name="sone" value="<% sone.id|html>" />
                                        <button type="submit"><%= View.Sone.Button.BlockSone|l10n|html></button>
                                </form>
                        <%/if>