XSS: Filter Summary im DeliveryPlan richtig escapen.

[kivitendo-erp.git] / templates / webpages / delivery_plan / _filter.html

diff --git a/templates/webpages/delivery_plan/_filter.html b/templates/webpages/delivery_plan/_filter.html
index 2bd7450..d537630 100644 (file)
--- a/templates/webpages/delivery_plan/_filter.html
+++ b/templates/webpages/delivery_plan/_filter.html
@@ -5,7 +5,7 @@
 <form action='controller.pl' method='post'>
 <div class='filter_toggle'>
 <a href='#' onClick='javascript:$(".filter_toggle").toggle()'>[% 'Show Filter' | $T8 %]</a>
-  [% SELF.filter_summary %]
+  [% SELF.filter_summary | html %]
 </div>
 <div class='filter_toggle' style='display:none'>
 <a href='#' onClick='javascript:$(".filter_toggle").toggle()'>[% 'Hide Filter' | $T8 %]</a>
@@ -45,9 +45,9 @@
   <tr>
    <th align="right">[% 'Type' | $T8 %]</th>
    <td>
-     [% L.checkbox_tag('filter.part.type.part',     checked=filter.part.type.part,     label=LxERP.t8('Part')) %]
-     [% L.checkbox_tag('filter.part.type.service',  checked=filter.part.type.service,  label=LxERP.t8('Service')) %]
-     [% L.checkbox_tag('filter.part.type.assembly', checked=filter.part.type.assembly, label=LxERP.t8('Assembly')) %]
+     [% L.checkbox_tag('filter.part.type[]', checked=filter.part.type_.part,     value='part',     label=LxERP.t8('Part')) %]
+     [% L.checkbox_tag('filter.part.type[]', checked=filter.part.type_.service,  value='service',  label=LxERP.t8('Service')) %]
+     [% L.checkbox_tag('filter.part.type[]', checked=filter.part.type_.assembly, value='assembly', label=LxERP.t8('Assembly')) %]
    </td>
   </tr>
  </table>