Package: movabletype-opensource Version: 4.2.1-2 Severity: important Tags: security patch
Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for movabletype-opensource. CVE-2008-4634[0]: | Cross-site scripting (XSS) vulnerability in Movable Type 4 through | 4.21 allows remote attackers to inject arbitrary web script or HTML | via unknown vectors related to the administrative page, a different | vulnerability than CVE-2008-4079. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. As the description is not really helpful and most of the referenced websites are not in english I had a look at the diff between the two versions to extract a patch. They fixed a bunch of very minor XSS issues in this release, the patch is attached. Note that some parts of the diff are skipped as it looks like upstream fixed the missing escapes with sed and ran it multiple times without checking if the output is already escaped. The original diff contains things like: - <mt:setvarblock name="page_title"><__trans phrase="Publishing [_1]..." params="<mt:var name="blog_name" escape="html">"></mt:setvarblock> + <mt:setvarblock name="page_title"><__trans phrase="Publishing [_1]..." params="<mt:var name="blog_name" escape="html" escape="html">"></mt:setvarblock> I didn't include those parts. Cheers Nico For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4634 http://security-tracker.debian.net/tracker/CVE-2008-4634 -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -Nurad MTOS-4.21-ja/lib/MT/App/ActivityFeeds.pm MTOS-4.22-ja/lib/MT/App/ActivityFeeds.pm
--- MTOS-4.21-ja/lib/MT/App/ActivityFeeds.pm 2008-08-01 03:43:09.000000000 +0200
+++ MTOS-4.22-ja/lib/MT/App/ActivityFeeds.pm 2008-10-13 20:33:35.000000000 +0200
@@ -10,7 +10,7 @@
use base 'MT::App';
use MT::Author qw(AUTHOR);
use MT::Util qw(perl_sha1_digest_hex ts2epoch epoch2ts ts2iso iso2ts
- encode_html);
+ encode_html encode_url);
use HTTP::Date qw(time2isoz str2time time2str);
sub id {'feeds'}
@@ -259,7 +259,7 @@
$param->{loop_entries} = [EMAIL PROTECTED];
my $str = qq();
for my $key ( $app->param ) {
- $str .= "&$key=" . $app->param($key);
+ $str .= "&" . encode_url($key) . "=" . encode_url($app->param($key));
}
$str =~ s/^&(.+)$/?$1/;
$param->{feed_self} = $app->base . $app->app_path . $app->script . $str;
diff -Nurad MTOS-4.21-ja/lib/MT/CMS/Dashboard.pm MTOS-4.22-ja/lib/MT/CMS/Dashboard.pm
--- MTOS-4.21-ja/lib/MT/CMS/Dashboard.pm 2008-07-18 20:30:37.000000000 +0200
+++ MTOS-4.22-ja/lib/MT/CMS/Dashboard.pm 2008-10-13 20:33:35.000000000 +0200
@@ -1,7 +1,7 @@
package MT::CMS::Dashboard;
use strict;
-use MT::Util qw( epoch2ts );
+use MT::Util qw( epoch2ts encode_html );
sub dashboard {
my $app = shift;
@@ -136,7 +136,7 @@
if ($last_post) {
$param->{last_post_id} = $last_post->id;
$param->{last_post_blog_id} = $last_post->blog_id;
- $param->{last_post_blog_name} = $last_post->blog->name;
+ $param->{last_post_blog_name} = encode_html($last_post->blog->name);
$param->{last_post_ts} = $last_post->authored_on;
}
@@ -1920,7 +1929,7 @@
my $uri = $app->base . $app->uri( 'mode' => 'view', args => \%args );
my $script = qq!javascript:d=document;w=window;t='';if(d.selection)t=d.selection.createRange().text;else{if(d.getSelection)t=d.getSelection();else{if(w.getSelection)t=w.getSelection()}}void(w.open('$uri&title='+encodeURIComponent(d.title)+'&text='+encodeURIComponent(d.location.href)+encodeURIComponent('<br/><br/>')+encodeURIComponent(t),'_blank','scrollbars=yes,status=yes,resizable=yes,location=yes'))!;
# Translate the phrase here to avoid ActivePerl DLL bug.
- $app->translate('<a href="[_1]">QuickPost to [_2]</a> - Drag this link to your browser\'s toolbar then click it when you are on a site you want to blog about.', encode_html($script), $blog->name);
+ $app->translate('<a href="[_1]">QuickPost to [_2]</a> - Drag this link to your browser\'s toolbar then click it when you are on a site you want to blog about.', encode_html($script), encode_html($blog->name));
}
sub can_view {
diff -Nurad MTOS-4.21-ja/lib/MT/CMS/Tools.pm MTOS-4.22-ja/lib/MT/CMS/Tools.pm
--- MTOS-4.21-ja/lib/MT/CMS/Tools.pm 2008-08-04 13:28:44.000000000 +0200
+++ MTOS-4.22-ja/lib/MT/CMS/Tools.pm 2008-10-13 20:33:35.000000000 +0200
@@ -621,7 +621,7 @@
my @tsnow = gmtime(time);
my $metadata = {
- backup_by => $app->user->name . '(ID: ' . $app->user->id . ')',
+ backup_by => MT::Util::encode_xml($app->user->name, 1) . '(ID: ' . $app->user->id . ')',
backup_on => sprintf(
"%04d-%02d-%02dT%02d:%02d:%02d",
$tsnow[5] + 1900,
diff -Nurad MTOS-4.21-ja/lib/MT/ImportExport.pm MTOS-4.22-ja/lib/MT/ImportExport.pm
--- MTOS-4.21-ja/lib/MT/ImportExport.pm 2008-01-08 22:02:50.000000000 +0100
+++ MTOS-4.22-ja/lib/MT/ImportExport.pm 2008-10-13 20:33:35.000000000 +0200
@@ -13,6 +13,7 @@
use MT::Category;
use base qw( MT::ErrorHandler );
use MT::I18N qw( first_n_text const encode_text );
+use MT::Util qw( encode_html );
use vars qw( $SEP $SUB_SEP );
$SEP = ('-' x 8);
@@ -135,7 +136,7 @@
} else {
$author->password('(none)');
}
- $cb->(MT->translate("Creating new user ('[_1]')...", $val));
+ $cb->(MT->translate("Creating new user ('[_1]')...", encode_html($val)));
if ($author->save) {
$cb->(MT->translate("ok") . "\n");
} else {
@@ -172,7 +173,7 @@
$cat->label($val);
$cat->author_id($entry->author_id);
$cat->parent(0);
- $cb->(MT->translate("Creating new category ('[_1]')...", $val));
+ $cb->(MT->translate("Creating new category ('[_1]')...", encode_html($val)));
if ($cat->save) {
$cb->(MT->translate("ok") . "\n");
} else {
@@ -238,7 +239,7 @@
$cb->(MT->translate("Can't find existing entry with timestamp '[_1]'... skipping comments, and moving on to next entry.", $ts) . "\n");
next ENTRY_BLOCK;
} else {
- $cb->(MT->translate("Importing into existing entry [_1] ('[_2]')", $entry->id, $entry->title) . "\n");
+ $cb->(MT->translate("Importing into existing entry [_1] ('[_2]')", $entry->id, encode_html($entry->title)) . "\n");
}
}
@@ -370,7 +371,7 @@
## Save entry.
unless ($no_save) {
- $cb->(MT->translate("Saving entry ('[_1]')...", $entry->title));
+ $cb->(MT->translate("Saving entry ('[_1]')...", encode_html($entry->title)));
if ($entry->save) {
$cb->(MT->translate("ok (ID [_1])", $entry->id) . "\n");
} else {
@@ -426,7 +427,7 @@
## Save comments.
for my $comment (@comments) {
$comment->entry_id($entry->id);
- $cb->(MT->translate("Creating new comment (from '[_1]')...", $comment->author));
+ $cb->(MT->translate("Creating new comment (from '[_1]')...", encode_html($comment->author)));
if ($comment->save) {
$cb->(MT->translate("ok (ID [_1])", $comment->id) . "\n");
} else {
@@ -443,7 +444,7 @@
"Entry has no MT::Trackback object!"));
for my $ping (@pings) {
$ping->tb_id($tb->id);
- $cb->(MT->translate("Creating new ping ('[_1]')...", $ping->title));
+ $cb->(MT->translate("Creating new ping ('[_1]')...", encode_html($ping->title)));
if ($ping->save) {
$cb->(MT->translate("ok (ID [_1])", $ping->id) . "\n");
} else {
diff -Nurad MTOS-4.21-ja/lib/MT/Sanitize.pm MTOS-4.22-ja/lib/MT/Sanitize.pm
--- MTOS-4.21-ja/lib/MT/Sanitize.pm 2008-01-08 22:02:50.000000000 +0100
+++ MTOS-4.22-ja/lib/MT/Sanitize.pm 2008-10-13 20:33:35.000000000 +0200
@@ -106,7 +106,7 @@
$dec_val =~ s/�*58(?:=;|[^0-9])/:/;
$dec_val =~ s/�*3[Aa](?:=;|[^a-fA-F0-9])/:/;
- if ((my $prot) = $dec_val =~ m/^(.+?):/) {
+ if ((my $prot) = $dec_val =~ m/^([\s\S]+?):/) {
next if $prot =~ m/[\r\n\t]/;
$prot =~ s/\s+//gs;
next if $prot =~ m/[^a-zA-Z0-9\+]/;
diff -Nurad MTOS-4.21-ja/plugins/Cloner/cloner.pl MTOS-4.22-ja/plugins/Cloner/cloner.pl
--- MTOS-4.21-ja/plugins/Cloner/cloner.pl 2008-01-08 22:02:50.000000000 +0100
+++ MTOS-4.22-ja/plugins/Cloner/cloner.pl 2008-10-13 20:33:36.000000000 +0200
@@ -13,6 +13,7 @@
use strict;
use MT 4;
use base 'MT::Plugin';
+use MT::Util qw( encode_html );
our $VERSION = '2.0';
my $plugin = MT::Plugin::Cloner->new({
@@ -62,8 +63,8 @@
my $blog_id = shift @id;
my $blog = MT::Blog->load($blog_id)
or return $app->error($plugin->translate("Invalid blog_id"));
- require MT::Util;
- my $blog_name = MT::Util::encode_html($blog->name);
+ # double escape to survive decode_html in translate_templatized
+ my $blog_name = encode_html(encode_html($blog->name, 1), 1);
# Set up and commence app output
$app->{no_print_body} = 1;
diff -Nurad MTOS-4.21-ja/tmpl/cms/edit_role.tmpl MTOS-4.22-ja/tmpl/cms/edit_role.tmpl
--- MTOS-4.21-ja/tmpl/cms/edit_role.tmpl 2008-07-15 19:09:34.000000000 +0200
+++ MTOS-4.22-ja/tmpl/cms/edit_role.tmpl 2008-10-13 20:33:36.000000000 +0200
@@ -256,7 +256,7 @@
id="created_by"
label="<__trans phrase="Created by">"
hint="">
- <p><mt:if name="created_by"><mt:var name="created_by"><mt:else><em><__trans phrase="System"></em></mt:if></p>
+ <p><mt:if name="created_by"><mt:var name="created_by" escape="html"><mt:else><em><__trans phrase="System"></em></mt:if></p>
</mtapp:setting>
</mt:if>
</fieldset>
diff -Nurad MTOS-4.21-ja/tmpl/cms/error.tmpl MTOS-4.22-ja/tmpl/cms/error.tmpl
--- MTOS-4.21-ja/tmpl/cms/error.tmpl 2008-07-15 19:09:34.000000000 +0200
+++ MTOS-4.22-ja/tmpl/cms/error.tmpl 2008-10-13 20:32:54.000000000 +0200
@@ -23,6 +23,8 @@
type="submit"
<mt:if name="dialog">
onclick="if ( window.opener ) { window.close(); } else { window.parent.closeDialog('<mt:var name="link" escape="js">'); }; return false;"
+ <mt:elseif name="fs">
+ onclick="window.location='<mt:var name="link" escape="js">'; return false;"
<mt:else>
onclick="if ( window.opener ) { window.opener.location.href='<mt:var name="link" escape="js">'; window.close(); } else { window.open('<mt:var name="link" escape="js">') }; return false;"
</mt:if>
diff -Nurad MTOS-4.21-ja/tmpl/cms/include/asset_table.tmpl MTOS-4.22-ja/tmpl/cms/include/asset_table.tmpl
--- MTOS-4.21-ja/tmpl/cms/include/asset_table.tmpl 2008-01-15 04:27:31.000000000 +0100
+++ MTOS-4.22-ja/tmpl/cms/include/asset_table.tmpl 2008-10-13 20:33:36.000000000 +0200
@@ -71,7 +71,7 @@
<mt:var name="file_size">
</mt:if>
</td>
- <td class="as-created-by"><mt:if name="created_by"><mt:var name="created_by"><mt:else><em><__trans phrase="System"></em></mt:if></td>
+ <td class="as-created-by"><mt:if name="created_by"><mt:var name="created_by" escape="html"><mt:else><em><__trans phrase="System"></em></mt:if></td>
<td><span title="<mt:var name="created_on_formatted">"><mt:if name="created_on_relative"><mt:if name="dates_relative"><mt:var name="created_on_relative"><mt:else><mt:var name="created_on_formatted"></mt:if><mt:else><mt:var name="created_on_formatted"></mt:if></span></td>
<td class="si status-view"><mt:if name="url"><a href="<mt:var name="url">" target="view_uploaded" title="<__trans phrase="View">"><img src="<mt:var name="static_uri">images/spacer.gif" alt="<__trans phrase="View">" width="13" height="9" /></a><mt:else> </mt:if></td>
</tr>
diff -Nurad MTOS-4.21-ja/tmpl/cms/include/comment_detail.tmpl MTOS-4.22-ja/tmpl/cms/include/comment_detail.tmpl
--- MTOS-4.21-ja/tmpl/cms/include/comment_detail.tmpl 2008-07-03 04:52:55.000000000 +0200
+++ MTOS-4.22-ja/tmpl/cms/include/comment_detail.tmpl 2008-10-13 20:33:36.000000000 +0200
@@ -5,9 +5,9 @@
<span class="byline">
<$mt:CommentAuthorIdentity$>
<mt:IfCommentParent>
- <__trans phrase="[_1] replied to <a href="[_2]">comment from [_3]</a>" params="<span class="vcard author"><$mt:CommentAuthorLink$></span>%%<mt:CommentParent><$mt:CommentLink$></mt:CommentParent>%%<mt:CommentParent><$mt:CommentAuthor$></mt:CommentParent>">
+ <__trans phrase="[_1] replied to <a href="[_2]">comment from [_3]</a>" params="<span class="vcard author"><$mt:CommentAuthorLink escape="html"$></span>%%<mt:CommentParent><$mt:CommentLink$></mt:CommentParent>%%<mt:CommentParent><$mt:CommentAuthor escape="html"$></mt:CommentParent>">
<mt:Else>
- <span class="vcard author"><$mt:CommentAuthorLink$></span>
+ <span class="vcard author"><$mt:CommentAuthorLink escape="html"$></span>
</mt:IfCommentParent>
| <a href="<$mt:CommentLink$>"><abbr class="published" title="<$mt:CommentDate format_name="iso8601"$>"><$mt:CommentDate$></abbr></a>
<mt:IfCommentsAccepted>
diff -Nurad MTOS-4.21-ja/tmpl/cms/include/entry_table.tmpl MTOS-4.22-ja/tmpl/cms/include/entry_table.tmpl
--- MTOS-4.21-ja/tmpl/cms/include/entry_table.tmpl 2008-07-15 19:09:34.000000000 +0200
+++ MTOS-4.22-ja/tmpl/cms/include/entry_table.tmpl 2008-10-13 20:33:36.000000000 +0200
@@ -168,9 +168,9 @@
<td class="author">
<mt:if name="is_editable">
<input type="hidden" name="author_id_<$mt:var name="id"$>" value="<$mt:var name="row_author_id"$>" id="entry_author_id_<$mt:var name="id"$>">
- <a href="javascript:void(0)" onclick="return openDialog(this.form, 'dialog_select_author', 'blog_id=<$mt:var name="blog_id"$>&multi=0&idfield=entry_author_id_<$mt:var name="id"$>&namefield=entry_author_name_<$mt:var name="id"$>')"><span id="entry_author_name_<$mt:var name="id"$>"><$mt:var name="row_author_name"$></span></a>
+ <a href="javascript:void(0)" onclick="return openDialog(this.form, 'dialog_select_author', 'blog_id=<$mt:var name="blog_id"$>&multi=0&idfield=entry_author_id_<$mt:var name="id"$>&namefield=entry_author_name_<$mt:var name="id"$>')"><span id="entry_author_name_<$mt:var name="id"$>"><$mt:var name="row_author_name" escape="html"$></span></a>
<mt:else>
- <$mt:var name="author_name"$>
+ <$mt:var name="author_name" escape="html"$>
</mt:if>
</td>
<mt:unless name="blog_view">
diff -Nurad MTOS-4.21-ja/tmpl/cms/include/header.tmpl MTOS-4.22-ja/tmpl/cms/include/header.tmpl
--- MTOS-4.21-ja/tmpl/cms/include/header.tmpl 2008-07-15 19:09:34.000000000 +0200
+++ MTOS-4.22-ja/tmpl/cms/include/header.tmpl 2008-10-13 20:33:36.000000000 +0200
@@ -91,7 +91,7 @@
</mt:loop>
</mt:unless>
<li id="help" class="help"><a href="javascript:void(0)" onclick="openManual('<mt:var name="template_filename" escape="js">')"><__trans phrase="Help"></a></li>
- <li id="user"><a href="<$mt:var name="mt_url"$>?__mode=view&_type=author&id=<$mt:var name="author_id"$>"><__trans phrase="Hi [_1]," params="<$mt:var name="author_name"$>"></a></li>
+ <li id="user"><a href="<$mt:var name="mt_url"$>?__mode=view&_type=author&id=<$mt:var name="author_id"$>"><__trans phrase="Hi [_1]," params="<$mt:var name="author_name" escape="html" escape="html"$>"></a></li>
<mt:if name="can_logout">
<li id="logout"><a href="<$mt:var name="mt_url"$>?__mode=logout"><__trans phrase="Logout"></a></li>
</mt:if>
diff -Nurad MTOS-4.21-ja/tmpl/cms/include/import_start.tmpl MTOS-4.22-ja/tmpl/cms/include/import_start.tmpl
--- MTOS-4.21-ja/tmpl/cms/include/import_start.tmpl 2007-12-12 02:47:58.000000000 +0100
+++ MTOS-4.22-ja/tmpl/cms/include/import_start.tmpl 2008-10-13 20:33:36.000000000 +0200
@@ -11,5 +11,5 @@
<div id="progress-bar"><img src="<mt:var name="static_uri">images/indeterminate-progress-bar.gif" alt="" height="24" width="124" /></div>
<pre><__trans phrase="Importing entries into blog" params="<mt:var name="blog_name" escape="html">">
-<mt:if name="import_as_me"><__trans phrase="Importing entries as user '[_1]'" params="<mt:var name="author_name">"><mt:else><__trans phrase="Creating new users for each user found in the blog"></mt:if>
+<mt:if name="import_as_me"><__trans phrase="Importing entries as user '[_1]'" params="<mt:var name="author_name" escape="html" escape="html">"><mt:else><__trans phrase="Creating new users for each user found in the blog"></mt:if>
diff -Nurad MTOS-4.21-ja/tmpl/cms/include/list_associations/page_title.tmpl MTOS-4.22-ja/tmpl/cms/include/list_associations/page_title.tmpl
--- MTOS-4.21-ja/tmpl/cms/include/list_associations/page_title.tmpl 2007-12-12 02:47:58.000000000 +0100
+++ MTOS-4.22-ja/tmpl/cms/include/list_associations/page_title.tmpl 2008-10-13 20:33:36.000000000 +0200
@@ -1,5 +1,5 @@
<mt:if name="user_view">
- <mt:setvarblock name="page_title"><__trans phrase="Permissions for [_1]" params="<mt:var name="edit_name" escape="html">"></mt:setvarblock>
+ <mt:setvarblock name="page_title"><__trans phrase="Permissions for [_1]" params="<mt:var name="edit_name" escape="html" escape="html">"></mt:setvarblock>
</mt:if>
<mt:if name="usergroup_view">
<mt:setvarblock name="page_title"><__trans phrase="Permissions: System-wide"></mt:setvarblock>
diff -Nurad MTOS-4.21-ja/tmpl/cms/include/listing_panel.tmpl MTOS-4.22-ja/tmpl/cms/include/listing_panel.tmpl
--- MTOS-4.21-ja/tmpl/cms/include/listing_panel.tmpl 2007-12-12 02:47:58.000000000 +0100
+++ MTOS-4.22-ja/tmpl/cms/include/listing_panel.tmpl 2008-10-13 20:33:36.000000000 +0200
@@ -61,10 +61,11 @@
<mt:loop name="object_loop">
<tr id="<mt:var name="panel_type">-<mt:var name="id">" class="<mt:if name="__odd__">odd<mt:else>even</mt:if>">
<td class="cb"><input type="<mt:if name="panel_multi">checkbox<mt:else>radio</mt:if>" class="select" name="<mt:var name="panel_type">-cb" value="<mt:var name="id">" <mt:if name="disabled">disabled="disabled"</mt:if> /></td>
- <td class="panel-label"><label><mt:var name="label"></label></td>
+ <td class="panel-label"><label><mt:var name="label" escape="html"></label></td>
<td class="panel-description">
- <mt:if name="link"><span class="view-site-link"><a href="<mt:var name="link" escape="html">" target="_blank"><img src="<mt:var name="static_uri">images/spacer.gif" title="<__trans phrase="Go to [_1]" params="<mt:var name="label" escape="html">">" width="13" height="9" alt="" /></a></span></mt:if>
- <mt:if name="link"><span class="float_desc"></mt:if><mt:var name="description"><mt:if name="link"></span></mt:if>
+<mt:Ignore><!-- No, the duplicate escape modifiers below is not a typo. --></mt:Ignore>
+ <mt:if name="link"><span class="view-site-link"><a href="<mt:var name="link" escape="html">" target="_blank"><img src="<mt:var name="static_uri">images/spacer.gif" title="<__trans phrase="Go to [_1]" params="<mt:var name="label" escape="html" escape="html">">" width="13" height="9" alt="" /></a></span></mt:if>
+ <mt:if name="link"><span class="float_desc"></mt:if><mt:var name="description" escape="html"><mt:if name="link"></span></mt:if>
</td>
</tr>
</mt:loop>
diff -Nurad MTOS-4.21-ja/tmpl/cms/include/log_table.tmpl MTOS-4.22-ja/tmpl/cms/include/log_table.tmpl
--- MTOS-4.21-ja/tmpl/cms/include/log_table.tmpl 2007-12-12 02:48:53.000000000 +0100
+++ MTOS-4.22-ja/tmpl/cms/include/log_table.tmpl 2008-10-13 20:33:36.000000000 +0200
@@ -22,7 +22,7 @@
<mt:if name="system_overview_nav">
<td class="weblog"><a href="<$mt:var name="script_url"$>?__mode=view_log&blog_id=<$mt:var name="blog_id"$>"><$mt:var name="weblog_name" escape="html"$></a></td>
</mt:if>
- <td class="action-by"><mt:if name="username"><$mt:var name="username"$><mt:else><__trans phrase="[_1]" params="<$mt:var name="log_ip"$>"></mt:if></td>
+ <td class="action-by"><mt:if name="username"><$mt:var name="username" escape="html"$><mt:else><__trans phrase="[_1]" params="<$mt:var name="log_ip"$>"></mt:if></td>
<td class="date"><mt:if name="is_last"><a name="last"></a></mt:if><span title="<$mt:var name="created_on_formatted"$>"><mt:if name="created_on_relative"><mt:if name="dates_relative"><$mt:var name="created_on_relative"$><mt:else><$mt:var name="created_on_formatted"$></mt:if><mt:else><$mt:var name="created_on_formatted"$></mt:if></span></td>
</tr>
<mt:if name="log_detail">
diff -Nurad MTOS-4.21-ja/tmpl/cms/include/template_table.tmpl MTOS-4.22-ja/tmpl/cms/include/template_table.tmpl
--- MTOS-4.21-ja/tmpl/cms/include/template_table.tmpl 2008-08-01 02:45:56.000000000 +0200
+++ MTOS-4.22-ja/tmpl/cms/include/template_table.tmpl 2008-10-13 20:33:36.000000000 +0200
@@ -24,19 +24,19 @@
<mt:unless name="template_type" eq="system"><mt:unless name="template_type" eq="email">
<mt:if name="template_type" eq="index">
<a href="javascript:void(0)"
- onclick="doForMarkedInThisWindow(getByID('<$mt:var name="template_type"$>-listing-form'), '<__trans phrase="template" escape="js">', '<__trans phrase="templates" escape="js">', 'id', 'publish_index_templates', {}, '<__trans phrase="to publish" escape="js">'); return false;"
+ onclick="doForMarkedInThisWindow(getByID('<$mt:var name="template_type" default="template"$>-listing-form'), '<__trans phrase="template" escape="js">', '<__trans phrase="templates" escape="js">', 'id', 'publish_index_templates', {}, '<__trans phrase="to publish" escape="js">'); return false;"
accesskey="a"
title="<__trans phrase="Publish selected templates (a)">"
><__trans phrase="Publish"></a>
<mt:else if name="template_type" eq="archive">
<a href="javascript:void(0)"
- onclick="doForMarkedInThisWindow(getByID('<$mt:var name="template_type"$>-listing-form'), '<__trans phrase="template" escape="js">', '<__trans phrase="templates" escape="js">', 'id', 'publish_archive_templates', {}, '<__trans phrase="to publish" escape="js">'); return false;"
+ onclick="doForMarkedInThisWindow(getByID('<$mt:var name="template_type" default="template" escape="html"$>-listing-form'), '<__trans phrase="template" escape="js">', '<__trans phrase="templates" escape="js">', 'id', 'publish_archive_templates', {}, '<__trans phrase="to publish" escape="js">'); return false;"
accesskey="a"
title="<__trans phrase="Publish selected templates (a)">"
><__trans phrase="Publish"></a>
</mt:if>
<a href="javascript:void(0)"
- onclick="doRemoveItems(getByID('<$mt:var name="template_type"$>-listing-form'), '<__trans phrase="template" escape="js">', '<__trans phrase="templates" escape="js">'); return false;"
+ onclick="doRemoveItems(getByID('<$mt:var name="template_type" default="template"$>-listing-form'), '<__trans phrase="template" escape="js">', '<__trans phrase="templates" escape="js">'); return false;"
accesskey="x"
title="<__trans phrase="Delete selected [_1] (x)" params="<$mt:var name="object_label_plural"$>">"
><__trans phrase="Delete"></a>
@@ -73,7 +73,7 @@
</thead>
<tbody>
</mt:if>
- <tr class="<mt:if name="__odd__">odd<mt:else>even</mt:if> template-<$mt:var name="template_type"$>">
+ <tr class="<mt:if name="__odd__">odd<mt:else>even</mt:if> template-<$mt:var name="template_type" default="template" escape="html"$>">
<td class="cb"><input type="checkbox" name="id" class="select" value="<mt:var name="id">" /></td>
<td class="template-name"><a href="<mt:var name="script_url">?__mode=view&_type=template&id=<mt:var name="id">&blog_id=<mt:var name="blog_id">"><mt:var name="name" escape="html"></a></td>
<mt:if name="template_type" like="/(index|archive)/">
@@ -137,7 +137,7 @@
</tbody>
</mt:if>
<mt:else>
- <div id="<$mt:var name="template_type"$>-listing" class="listing zero-state-listing zero-state">
+ <div id="<$mt:var name="template_type" default="template" escape="html"$>-listing" class="listing zero-state-listing zero-state">
<div class="listing-header">
<$mt:var name="listing_header"$>
</div>
diff -Nurad MTOS-4.21-ja/tmpl/cms/list_comment.tmpl MTOS-4.22-ja/tmpl/cms/list_comment.tmpl
--- MTOS-4.21-ja/tmpl/cms/list_comment.tmpl 2008-07-15 19:09:34.000000000 +0200
+++ MTOS-4.22-ja/tmpl/cms/list_comment.tmpl 2008-10-13 20:33:36.000000000 +0200
@@ -162,7 +162,7 @@
<!-- <a href="javascript:void(0)" onclick="toggleFilter()" class="filter-link">[ <__trans phrase="change"> ]</a> -->
<mt:else>
<mt:if name="filter_key">
- <strong><__trans phrase="Showing only: [_1]" params="<mt:var name="filter_label">"></strong>
+ <strong><__trans phrase="Showing only: [_1]" params="<mt:var name="filter_label" escape="html" escape="html">"></strong>
<!-- <a href="javascript:void(0)" onclick="toggleFilter()" class="filter-link">[ <__trans phrase="change"> ]</a> -->
<mt:else>
<strong>
diff -Nurad MTOS-4.21-ja/tmpl/cms/list_ping.tmpl MTOS-4.22-ja/tmpl/cms/list_ping.tmpl
--- MTOS-4.21-ja/tmpl/cms/list_ping.tmpl 2008-07-15 19:09:34.000000000 +0200
+++ MTOS-4.22-ja/tmpl/cms/list_ping.tmpl 2008-10-13 20:33:36.000000000 +0200
@@ -153,10 +153,10 @@
<a href="javascript:void(0)" onclick="toggleFilter()" class="filter-link">[ <__trans phrase="change"> ]</a>
<mt:else>
<mt:if name="filter_special">
- <strong><__trans phrase="Showing only: [_1]" params="<$mt:var name="filter_phrase"$>"></strong>
+ <strong><__trans phrase="Showing only: [_1]" params="<$mt:var name="filter_phrase" escape="html"$>"></strong>
<mt:else><mt:if name="filter_key">
- <strong><__trans phrase="Showing only: [_1]" params="<mt:var name="filter_label">"></strong>
+ <strong><__trans phrase="Showing only: [_1]" params="<mt:var name="filter_label">" escape="html"></strong>
<mt:else>
<strong><a href="javascript:void(0)" onclick="toggleFilter()">
<__trans phrase="[_1] where [_2] is [_3]" params='<$mt:var name="object_label_plural"$>%%<span id="filter-text-col"> </span>%%<span id="filter-text-val"></span>'>
diff -Nurad MTOS-4.21-ja/tmpl/cms/list_role.tmpl MTOS-4.22-ja/tmpl/cms/list_role.tmpl
--- MTOS-4.21-ja/tmpl/cms/list_role.tmpl 2008-07-15 19:09:34.000000000 +0200
+++ MTOS-4.22-ja/tmpl/cms/list_role.tmpl 2008-10-13 20:33:36.000000000 +0200
@@ -73,7 +73,7 @@
<td><mt:var name="description" escape="html"></td>
<td><mt:var name="members"></td>
<td><mt:var name="weblogs"></td>
- <td><mt:if name="created_by"><mt:var name="created_by"><mt:else><em><__trans phrase="System"></em></mt:if></td>
+ <td><mt:if name="created_by"><mt:var name="created_by" escape="html"><mt:else><em><__trans phrase="System"></em></mt:if></td>
</tr>
<mt:if name="view_expanded">
<tr class="<mt:if name="__odd__">odd<mt:else>even</mt:if> slave<mt:unless name="members"> inactive</mt:unless>">
diff -Nurad MTOS-4.21-ja/tmpl/cms/list_template.tmpl MTOS-4.22-ja/tmpl/cms/list_template.tmpl
--- MTOS-4.21-ja/tmpl/cms/list_template.tmpl 2008-06-20 04:32:32.000000000 +0200
+++ MTOS-4.22-ja/tmpl/cms/list_template.tmpl 2008-10-13 20:33:36.000000000 +0200
@@ -20,6 +20,7 @@
<li id="system-tab"><a href="<mt:var name="script_url">?__mode=list&_type=template#system" onclick="showTable('system-listing');"><__trans phrase="System Templates"></a></li>
</mt:if>
</ul>
+ <$mtapp:ListFilters$>
</mtapp:widget>
<mtapp:widget
id="useful-links"
@@ -69,7 +70,7 @@
var tableSelect = [];
function init() {
<mt:loop name="template_type_loop">
- tableSelect.push(new TC.TableSelect( '<mt:var name="template_type">-listing-table' ));
+ tableSelect.push(new TC.TableSelect( '<mt:var name="template_type" escape="html">-listing-table' ));
tableSelect[tableSelect.length-1].rowSelect = true;
</mt:loop>
var name = (window.location.hash && window.location.hash.match( /^#/ ) ) ? window.location.hash.substr(1) : "all";
diff -Nurad MTOS-4.21-ja/tmpl/cms/widget/blog_stats_comment.tmpl MTOS-4.22-ja/tmpl/cms/widget/blog_stats_comment.tmpl
--- MTOS-4.21-ja/tmpl/cms/widget/blog_stats_comment.tmpl 2008-05-29 19:22:39.000000000 +0200
+++ MTOS-4.22-ja/tmpl/cms/widget/blog_stats_comment.tmpl 2008-10-13 20:33:36.000000000 +0200
@@ -37,7 +37,7 @@
<$MTCommentBody$>
</div>
<div class="comment-meta">
- <__trans phrase="[_1] [_2], [_3] on [_4]" params="<MTIfNonEmpty tag="CommentAuthorIdentity"><$MTCommentAuthorIdentity$></MTIfNonEmpty>%%<$MTCommentAuthorLink default_name="Anonymous"$>%%<$MTCommentDate relative="1"$>%%<MTCommentEntry><MTEntryAuthorID setvar="entry_author_id"><MTIf name="editable"><a href="<$mt:var name="script_url"$>?__mode=view&_type=<$MTEntryClass lower_case="1"$>&id=<$MTEntryID$>&blog_id=<$MTEntryBlogID$>"><$MTEntryTitle remove_html="1" encode_html="1" _default="..."$></a><MTElse name="author_id" eq="$entry_author_id"><a href="<$mt:var name="script_url"$>?__mode=view&_type=<$MTEntryClass lower_case="1"$>&id=<$MTEntryID$>&blog_id=<$MTEntryBlogID$>"><$MTEntryTitle$></a><MTElse><$MTEntryTitle remove_html="1" encode_html="1" _default="..."$></MTIf></MTCommentEntry>">
+ <__trans phrase="[_1] [_2], [_3] on [_4]" params="<MTIfNonEmpty tag="CommentAuthorIdentity"><$MTCommentAuthorIdentity$></MTIfNonEmpty>%%<$MTCommentAuthorLink default_name="Anonymous" escape="html"$>%%<$MTCommentDate relative="1"$>%%<MTCommentEntry><MTEntryAuthorID setvar="entry_author_id"><MTIf name="editable"><a href="<$mt:var name="script_url"$>?__mode=view&_type=<$MTEntryClass lower_case="1"$>&id=<$MTEntryID$>&blog_id=<$MTEntryBlogID$>"><$MTEntryTitle remove_html="1" encode_html="1" _default="..."$></a><MTElse name="author_id" eq="$entry_author_id"><a href="<$mt:var name="script_url"$>?__mode=view&_type=<$MTEntryClass lower_case="1"$>&id=<$MTEntryID$>&blog_id=<$MTEntryBlogID$>"><$MTEntryTitle$></a><MTElse><$MTEntryTitle remove_html="1" encode_html="1" _default="..."$></MTIf></MTCommentEntry>">
<MTIf name="editable">(<a href="<mt:var name="script_url">?__mode=view&_type=comment&id=<$MTCommentID$>&blog_id=<$MTCommentBlogID$>"><__trans phrase="Edit Comment"></a>)<MTElse name="author_id" eq="$entry_author_id">(<a href="<mt:var name="script_url">?__mode=view&_type=comment&id=<$MTCommentID$>&blog_id=<$MTCommentBlogID$>"><__trans phrase="Edit Comment"></a>)</MTIf>
</div>
</div>
diff -Nurad MTOS-4.21-ja/tmpl/cms/widget/blog_stats_entry.tmpl MTOS-4.22-ja/tmpl/cms/widget/blog_stats_entry.tmpl
--- MTOS-4.21-ja/tmpl/cms/widget/blog_stats_entry.tmpl 2008-01-22 03:03:38.000000000 +0100
+++ MTOS-4.22-ja/tmpl/cms/widget/blog_stats_entry.tmpl 2008-10-13 20:33:36.000000000 +0200
@@ -34,25 +34,26 @@
<MTEntries>
<div id="entry-<$MTEntryID$>" class="entry entry-<mt:if name="__odd__">odd<mt:else>even</mt:if> entry-status-<MTEntryStatus lower_case="1">">
<div class="entry-inner">
- <div class="entry-title"><MTEntryAuthorID setvar="entry_author_id"><MTSetVarBlock name="entry_title"><MTIfNonEmpty tag="MTEntryTitle"><$MTEntryTitle$><MTElse><__trans phrase="..."></MTIfNonEmpty></MTSetVarBlock>
+ <div class="entry-title"><MTEntryAuthorID setvar="entry_author_id"><MTSetVarBlock name="entry_title"><MTIfNonEmpty tag="MTEntryTitle"><$MTEntryTitle escape="html"$><MTElse><__trans phrase="..."></MTIfNonEmpty></MTSetVarBlock>
<h4><MTIf name="editable"><a href="<$mt:var name="script_url"$>?__mode=view&_type=entry&id=<$MTEntryID$>&blog_id=<$MTBlogID$>"><MTGetVar name="entry_title"></a><MTElse name="author_id" eq="$entry_author_id"><a href="<$mt:var name="script_url"$>?__mode=view&_type=entry&id=<$MTEntryID$>&blog_id=<$MTBlogID$>"><MTGetVar name="entry_title"></a><MTElse><MTGetVar name="entry_title"></MTIf></h4>
</div>
<div class="entry-content">
- <p><$MTEntryExcerpt$></p>
+ <p><$MTEntryExcerpt escape="html"$></p>
</div>
<div class="entry-meta">
<MTIfNonEmpty tag="MTEntryAuthorDisplayName">
- <mt:setvarblock name="entry_author"><$MTEntryAuthorLink show_email="0"$></mt:setvarblock>
+ <mt:setvarblock name="entry_author"><$MTEntryAuthorLink show_email="0" escape="html"$></mt:setvarblock>
<MTElse>
- <mt:setvarblock name="entry_author"><$MTEntryAuthorUsername$></mt:setvarblock>
+ <mt:setvarblock name="entry_author"><$MTEntryAuthorUsername escape="html"$></mt:setvarblock>
</MTIfNonEmpty>
<MTIfNonEmpty tag="EntryCategory">
- <__trans phrase="Posted by [_1] [_2] in [_3]" params="<$mt:var name="entry_author"$>%%<$MTEntryDate relative="1"$>%%<MTEntryCategories glue=", "><MTIf name="editable"><a href="<mt:var name="script_url">?__mode=list_entry&blog_id=<$MTBlogID$>&filter=category_id&filter_val=<$MTCategoryID$>"><$MTCategoryLabel$></a><MTElse><$MTCategoryLabel$></MTIf></MTEntryCategories>">
+ <__trans phrase="Posted by [_1] [_2] in [_3]" params="<$mt:var name="entry_author" escape="html"$>%%<$MTEntryDate relative="1"$>%%<MTEntryCategories glue=", "><MTIf name="editable"><a href="<mt:var name="script_url">?__mode=list_entry&blog_id=<$MTBlogID$>&filter=category_id&filter_val=<$MTCategoryID$>"><$MTCategoryLabel$></a><MTElse><$MTCategoryLabel$></MTIf></MTEntryCategories>">
<MTElse>
- <__trans phrase="Posted by [_1] [_2]" params="<$mt:var name="entry_author"$>%%<$MTEntryDate relative="1"$>">
+ <__trans phrase="Posted by [_1] [_2]" params="<$mt:var name="entry_author" escape="html"$>%%<$MTEntryDate relative="1"$>">
</MTIfNonEmpty>
<MTEntryIfTagged>
- <__trans phrase="Tagged: [_1]" params="<MTEntryTags glue=", "><MTIf name="editable"><a href="<mt:var name="script_url">?__mode=list_entries<MTIfNonEmpty tag="MTBlogID">&blog_id=<$MTBlogID$></MTIfNonEmpty>&filter=exacttag&filter_val=<$MTTagName escape="url"$>" rel="tag"><$MTTagName$></a><MTElse><$MTTagName$></MTIf></MTEntryTags>">
+ <mt:SetVarBlock name="tags"><MTEntryTags glue=", "><MTIf name="editable"><a href="<mt:var name="script_url">?__mode=list_entries<MTIfNonEmpty tag="MTBlogID">&blog_id=<$MTBlogID$></MTIfNonEmpty>&filter=exacttag&filter_val=<$MTTagName escape="url"$>" rel="tag"><$MTTagName escape="html"$></a><MTElse><$MTTagName escape="html"$></MTIf></MTEntryTags></mt:SetVarBlock>
+ <__trans phrase="Tagged: [_1]" params="<mt:var name="tags" escape="html">">
</MTEntryIfTagged>
</div>
</div>
diff -Nurad MTOS-4.21-ja/tmpl/cms/widget/blog_stats_tag_cloud.tmpl MTOS-4.22-ja/tmpl/cms/widget/blog_stats_tag_cloud.tmpl
--- MTOS-4.21-ja/tmpl/cms/widget/blog_stats_tag_cloud.tmpl 2008-04-11 06:33:15.000000000 +0200
+++ MTOS-4.22-ja/tmpl/cms/widget/blog_stats_tag_cloud.tmpl 2008-10-13 20:33:36.000000000 +0200
@@ -4,13 +4,15 @@
</mt:setvarblock>
<div id="tag-panel" class="<mt:unless name="tab" eq="tag">hidden</mt:unless>" mt:tab-content="tag">
+<mt:Section cache_prefix="tagcloud" period="3600" by_blog="1" by_user="1">
<div id="tag-cloud">
<ul id="tag-cloud-list">
<mt:loop name="tag_loop">
- <li class="tag-<$mt:var name="rank"$>"><a href="javascript:void(0)" onclick="recentEntriesForTag('<mt:var name="name" escape="js">', 'tag-cloud-recent-entries'); return false"><$mt:var name="name"$></a></li>
+ <li class="tag-<$mt:var name="rank"$>"><a href="javascript:void(0)" onclick="recentEntriesForTag('<mt:var name="name" escape="js">', 'tag-cloud-recent-entries'); return false"><$mt:var name="name" escape="html"$></a></li>
</mt:loop>
</ul>
</div>
+</mt:Section>
<div id="tag-cloud-recent-entries"></div>
</div>
</mt:if>
diff -Nurad MTOS-4.21-ja/tmpl/cms/widget/this_is_you.tmpl MTOS-4.22-ja/tmpl/cms/widget/this_is_you.tmpl
--- MTOS-4.21-ja/tmpl/cms/widget/this_is_you.tmpl 2008-04-25 00:34:02.000000000 +0200
+++ MTOS-4.22-ja/tmpl/cms/widget/this_is_you.tmpl 2008-10-13 20:33:36.000000000 +0200
@@ -6,7 +6,7 @@
<h4><mt:var name="author_display_name" escape="html"></h4>
<ul class="user-stats-list">
<mt:if name="last_post_id">
- <li><__trans phrase="Your <a href="[_1]">last entry</a> was [_2] in <a href="[_3]">[_4]</a>." params="<mt:var name="script_url">?__mode=view&_type=entry&id=<mt:var name="last_post_id">&blog_id=<mt:var name="last_post_blog_id">%%<mt:date ts="$last_post_ts" relative="1" offset_blog_id="$last_post_blog_id">%%<mt:var name="script_url">?blog_id=<$mt:var name="last_post_blog_id"$>%%<$mt:var name="last_post_blog_name"$>"></li>
+ <li><__trans phrase="Your <a href="[_1]">last entry</a> was [_2] in <a href="[_3]">[_4]</a>." params="<mt:var name="script_url">?__mode=view&_type=entry&id=<mt:var name="last_post_id">&blog_id=<mt:var name="last_post_blog_id">%%<mt:date ts="$last_post_ts" relative="1" offset_blog_id="$last_post_blog_id">%%<mt:var name="script_url">?blog_id=<$mt:var name="last_post_blog_id"$>%%<$mt:var name="last_post_blog_name" escape="html"$>"></li>
</mt:if>
<mt:if name="draft_count">
<li><__trans phrase="You have <a href="[_1]">[quant,_2,draft,drafts]</a>." params="<mt:var name="script_url">?__mode=list_entry&filter=status&filter_val=1%%<mt:var name="draft_count">"></li>
pgpwblUqQ5Upo.pgp
Description: PGP signature
