projects / kivitendo-erp.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
XSS: Filter Summary im DeliveryPlan richtig escapen.
[kivitendo-erp.git] / templates / webpages / delivery_plan / _filter.html
diff --git a/templates/webpages/delivery_plan/_filter.html b/templates/webpages/delivery_plan/_filter.html
index 9bba140..d537630 100644 (file)
--- a/templates/webpages/delivery_plan/_filter.html
+++ b/templates/webpages/delivery_plan/_filter.html
@@ -5,7 +5,7 @@
 <form action='controller.pl' method='post'>
 <div class='filter_toggle'>
 <a href='#' onClick='javascript:$(".filter_toggle").toggle()'>[% 'Show Filter' | $T8 %]</a>
-  [% SELF.filter_summary %]
+  [% SELF.filter_summary | html %]
 </div>
 <div class='filter_toggle' style='display:none'>
 <a href='#' onClick='javascript:$(".filter_toggle").toggle()'>[% 'Hide Filter' | $T8 %]</a>
@@ -24,11 +24,11 @@
   </tr>
   <tr>
    <th align="right">[% 'Delivery Date' | $T8 %] [% 'From Date' | $T8 %]</th>
-   <td>[% L.date_tag('filter.reqdate:date::ge', filter.reqdate_date__ge, cal_align = 'BR') %]</td>
+   <td>[% L.date_tag('filter.reqdate:date::ge', filter.reqdate_date__ge) %]</td>
   </tr>
   <tr>
    <th align="right">[% 'Delivery Date' | $T8 %] [% 'To Date' | $T8 %]</th>
-   <td>[% L.date_tag('filter.reqdate:date::le', filter.reqdate_date__le, cal_align = 'BR') %]</td>
+   <td>[% L.date_tag('filter.reqdate:date::le', filter.reqdate_date__le) %]</td>
   </tr>
   <tr>
    <th align="right">[% 'Quantity' | $T8 %]</th>
@@ -45,9 +45,9 @@
   <tr>
    <th align="right">[% 'Type' | $T8 %]</th>
    <td>
-     [% L.checkbox_tag('filter.part.type.part',     checked=filter.part.type.part,     label=LxERP.t8('Part')) %]
-     [% L.checkbox_tag('filter.part.type.service',  checked=filter.part.type.service,  label=LxERP.t8('Service')) %]
-     [% L.checkbox_tag('filter.part.type.assembly', checked=filter.part.type.assembly, label=LxERP.t8('Assembly')) %]
+     [% L.checkbox_tag('filter.part.type[]', checked=filter.part.type_.part,     value='part',     label=LxERP.t8('Part')) %]
+     [% L.checkbox_tag('filter.part.type[]', checked=filter.part.type_.service,  value='service',  label=LxERP.t8('Service')) %]
+     [% L.checkbox_tag('filter.part.type[]', checked=filter.part.type_.assembly, value='assembly', label=LxERP.t8('Assembly')) %]
    </td>
   </tr>
  </table>
@@ -59,7 +59,7 @@
 [% L.input_tag('action_list', LxERP.t8('Continue'), type = 'submit', class='submit')%]
 
 
-<a href='#' onClick='javascript:$("#filter_table input").attr("value","");$("#filter_table option").attr("selected","")'>[% 'Reset' | $T8 %]</a>
+<a href='#' onClick='javascript:$("#filter_table input").val("");$("#filter_table input[type=checkbox]").prop("checked", 0);'>[% 'Reset' | $T8 %]</a>
 
 </div>
 
Unnamed repository; edit this file 'description' to name the repository.