From 392f9808f16132b2827114466985df704f6e47e5 Mon Sep 17 00:00:00 2001
From: =?utf8?q?David=20=E2=80=98Bombe=E2=80=99=20Roden?=
 <bombe@pterodactylus.net>
Date: Tue, 19 Oct 2010 22:20:16 +0200
Subject: [PATCH] Escape all IDs in HTML.

---
 src/main/resources/templates/include/head.html     |  2 +-
 src/main/resources/templates/include/viewPost.html | 14 +++++++-------
 src/main/resources/templates/include/viewSone.html | 10 +++++-----
 3 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/src/main/resources/templates/include/head.html b/src/main/resources/templates/include/head.html
index b1d01bc..c198fc4 100644
--- a/src/main/resources/templates/include/head.html
+++ b/src/main/resources/templates/include/head.html
@@ -13,7 +13,7 @@
 
 		<div id="profile" class="<%ifnull currentSone>offline<%else>online<%/if>">
 			<div class="picture"></div>
-			<div class="nice-name profile-link"><a href="viewSone.html?sone=<% currentSone.id>"><% currentSone.niceName|html></a></div>
+			<div class="nice-name profile-link"><a href="viewSone.html?sone=<% currentSone.id|html>"><% currentSone.niceName|html></a></div>
 			<div class="edit-profile-link"><a href="editProfile.html"><%= View.Head.ProfileLink.Text|l10n|html></a></div>
 			<%ifnull ! currentSone>
 				<%include include/updateStatus.html>
diff --git a/src/main/resources/templates/include/viewPost.html b/src/main/resources/templates/include/viewPost.html
index 7c0eb19..adeb92a 100644
--- a/src/main/resources/templates/include/viewPost.html
+++ b/src/main/resources/templates/include/viewPost.html
@@ -1,29 +1,29 @@
-<div id="<% post.id>" class="post">
+<div id="<% post.id|html>" class="post">
 	<div>
-		<div class="author profile-link"><a href="viewSone.html?sone=<% post.sone.id>"><% post.sone.niceName|html></a></div>
+		<div class="author profile-link"><a href="viewSone.html?sone=<% post.sone.id|html>"><% post.sone.niceName|html></a></div>
 		<div class="text"><% post.text|html></div>
 	</div>
 	<div class="status-line">
-		<div class="time"><a href="viewPost.html?post=<% post.id>"><% post.time|date format="MMM d, yyyy, HH:mm:ss"></a></div>
-		<%if post.sone.current><div class="delete"><a href="deletePost.html?post=<% post.id>"><%= View.Post.DeleteLink|l10n|html></a></div><%/if>
+		<div class="time"><a href="viewPost.html?post=<% post.id|html>"><% post.time|date format="MMM d, yyyy, HH:mm:ss"></a></div>
+		<%if post.sone.current><div class="delete"><a href="deletePost.html?post=<% post.id|html>"><%= View.Post.DeleteLink|l10n|html></a></div><%/if>
 	</div>
 	<div class="replies">
 		<%foreach post.replies reply>
 			<div class="reply">
 				<div>
-					<div class="author profile-link"><a href="viewSone.html?sone=<% reply.sone.id>"><% reply.sone.niceName|html></a></div>
+					<div class="author profile-link"><a href="viewSone.html?sone=<% reply.sone.id|html>"><% reply.sone.niceName|html></a></div>
 					<div class="text"><% reply.text|html></div>
 				</div>
 				<div class="status-line">
 					<div class="time"><% reply.time|date format="MMM d, yyyy, HH:mm:ss"></div>
-					<%if reply.sone.current><div class="delete"><a href="deleteReply.html?reply=<% reply.id>"><%= View.Post.Reply.DeleteLink|l10n|html></a></div><%/if>
+					<%if reply.sone.current><div class="delete"><a href="deleteReply.html?reply=<% reply.id|html>"><%= View.Post.Reply.DeleteLink|l10n|html></a></div><%/if>
 				</div>
 			</div>
 		<%/foreach>
 		<div class="create-reply">
 			<form method="post" action="createReply.html">
 				<input type="hidden" name="formPassword" value="<% formPassword|html>" />
-				<input type="hidden" name="post" value="<% post.id>" />
+				<input type="hidden" name="post" value="<% post.id|html>" />
 				<input type="text" class="reply-input" name="text" value="" />
 				<button type="submit"><%= View.Post.SendReply|l10n|html></button>
 			</form>
diff --git a/src/main/resources/templates/include/viewSone.html b/src/main/resources/templates/include/viewSone.html
index dbcfa4d..7d3dd24 100644
--- a/src/main/resources/templates/include/viewSone.html
+++ b/src/main/resources/templates/include/viewSone.html
@@ -5,33 +5,33 @@
 	<div class="insert-marker" title="<%= View.Sone.Status.Inserting|l10n|html>">â¬</div>
 	<div class="idle-marker" title="<%= View.Sone.Status.Idle|l10n|html>">â</div>
 	<div class="last-update"><%= View.Sone.Label.LastUpdate|l10n|html> <% sone.time|date format="MMM d, yyyy, HH:mm:ss"></div>
-	<div class="profile-link"><a href="viewSone.html?sone=<% sone.id>" title="<% sone.requestUri|html>"><% sone.niceName|html></a></div>
+	<div class="profile-link"><a href="viewSone.html?sone=<% sone.id|html>" title="<% sone.requestUri|html>"><% sone.niceName|html></a></div>
 	<div class="short-request-uri"><% sone.requestUri|substring start=4 length=43|html></div>
 	<%ifnull ! currentSone>
 		<%if ! sone.current>
 			<%if sone.friend>
 				<form class="unfollow" action="unfollowSone.html" method="post">
 					<input type="hidden" name="formPassword" value="<% formPassword|html>" />
-					<input type="hidden" name="sone" value="<% sone.id>" />
+					<input type="hidden" name="sone" value="<% sone.id|html>" />
 					<button type="submit"><%= View.Sone.Button.UnfollowSone|l10n|html></button>
 				</form>
 			<%else>
 				<form class="follow" action="followSone.html" method="post">
 					<input type="hidden" name="formPassword" value="<% formPassword|html>" />
-					<input type="hidden" name="sone" value="<% sone.id>" />
+					<input type="hidden" name="sone" value="<% sone.id|html>" />
 					<button type="submit"><%= View.Sone.Button.FollowSone|l10n|html></button>
 				</form>
 			<%/if>
 			<%if sone.blocked>
 				<form class="unblock" action="unblockSone.html" method="post">
 					<input type="hidden" name="formPassword" value="<% formPassword|html>" />
-					<input type="hidden" name="sone" value="<% sone.id>" />
+					<input type="hidden" name="sone" value="<% sone.id|html>" />
 					<button type="submit"><%= View.Sone.Button.UnblockSone|l10n|html></button>
 				</form>
 			<%else>
 				<form class="block" action="blockSone.html" method="post">
 					<input type="hidden" name="formPassword" value="<% formPassword|html>" />
-					<input type="hidden" name="sone" value="<% sone.id>" />
+					<input type="hidden" name="sone" value="<% sone.id|html>" />
 					<button type="submit"><%= View.Sone.Button.BlockSone|l10n|html></button>
 				</form>
 			<%/if>
-- 
2.7.4

