diff options
| author | Matthew Somerville <matthew@mysociety.org> | 2019-11-26 17:09:56 +0000 |
|---|---|---|
| committer | Matthew Somerville <matthew@mysociety.org> | 2019-12-09 09:38:03 +0000 |
| commit | 6c2d3d5a7d84521d34daa2cf7e4be76a54b3b0e0 (patch) | |
| tree | 75ef8cd6e1df444572ae5ec3a4048e6c3366a088 /perllib/FixMyStreet/DB/Result/Problem.pm | |
| parent | a4290acdff6781979cc3cd7c0142d553236e5666 (diff) | |
Switch to default-escaped in templates.
This means any variable used in a template is automatically
HTML-escaped, unless it is marked as safe either in code by
using a SafeString, or in the template with the `mark_safe`
function or the `safe` filter.
Diffstat (limited to 'perllib/FixMyStreet/DB/Result/Problem.pm')
| -rw-r--r-- | perllib/FixMyStreet/DB/Result/Problem.pm | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/perllib/FixMyStreet/DB/Result/Problem.pm b/perllib/FixMyStreet/DB/Result/Problem.pm index 97f0666e0..4b52cd11d 100644 --- a/perllib/FixMyStreet/DB/Result/Problem.pm +++ b/perllib/FixMyStreet/DB/Result/Problem.pm @@ -201,6 +201,8 @@ use Moo; use namespace::clean -except => [ 'meta' ]; use Utils; use FixMyStreet::Map::FMS; +use FixMyStreet::Template; +use FixMyStreet::Template::SafeString; use LWP::Simple qw($ua); use RABX; use URI; @@ -669,16 +671,16 @@ sub body { my $cache = $problem->result_source->schema->cache; return $cache->{bodies}{$problem->external_body} //= $c->model('DB::Body')->find({ id => $problem->external_body }); } else { - $body = $problem->external_body; + $body = FixMyStreet::Template::html_filter($problem->external_body); } } else { my $bodies = $problem->bodies; my @body_names = sort map { my $name = $_->name; if ($c and FixMyStreet->config('AREA_LINKS_FROM_PROBLEMS')) { - '<a href="' . $_->url . '">' . $name . '</a>'; + '<a href="' . $_->url . '">' . FixMyStreet::Template::html_filter($name) . '</a>'; } else { - $name; + FixMyStreet::Template::html_filter($name); } } values %$bodies; if ( scalar @body_names > 2 ) { @@ -688,7 +690,7 @@ sub body { $body = join( _(' and '), @body_names); } } - return $body; + return FixMyStreet::Template::SafeString->new($body); } @@ -778,17 +780,20 @@ sub can_display_external_id { return 0; } +# This can return HTML and is safe, so returns a FixMyStreet::Template::SafeString sub duration_string { my ( $problem, $c ) = @_; my $body = $c->cobrand->call_hook(link_to_council_cobrand => $problem) || $problem->body($c); my $handler = $c->cobrand->call_hook(get_body_handler_for_problem => $problem); if ( $handler && $handler->call_hook('is_council_with_case_management') ) { - return sprintf(_('Received by %s moments later'), $body); + my $s = sprintf(_('Received by %s moments later'), $body); + return FixMyStreet::Template::SafeString->new($s); } return unless $problem->whensent; - return sprintf(_('Sent to %s %s later'), $body, + my $s = sprintf(_('Sent to %s %s later'), $body, Utils::prettify_duration($problem->whensent->epoch - $problem->confirmed->epoch, 'minute') ); + return FixMyStreet::Template::SafeString->new($s); } sub local_coords { |