Filtering field values for xss vulnerability

layouts/v7/modules/Vtiger/Comment.tpl

@@ -19,7 +19,7 @@
 					<div class="col-lg-12">
 						<div class="media">
 							<div class="media-left title" id="{$COMMENT->getId()}">
-								{assign var=CREATOR_NAME value=$COMMENT->getCommentedByName()}
+								{assign var=CREATOR_NAME value={decode_html($COMMENT->getCommentedByName())}}
 								<div class="col-lg-2 recordImage commentInfoHeader" style ="width:50px; height:50px; font-size: 30px;" data-commentid="{$COMMENT->getId()}" data-parentcommentid="{$COMMENT->get('parent_comments')}" data-relatedto = "{$COMMENT->get('related_to')}">
 									{assign var=IMAGE_PATH value=$COMMENT->getImagePath()}
 									{if !empty($IMAGE_PATH)}

layouts/v7/modules/Vtiger/DetailViewHeaderTitle.tpl

@@ -24,7 +24,7 @@
 							{foreach item=NAME_FIELD from=$MODULE_MODEL->getNameFields()}
 								{assign var=FIELD_MODEL value=$MODULE_MODEL->getField($NAME_FIELD)}
 								{if $FIELD_MODEL->getPermissions()}
-									<span class="{$NAME_FIELD}">{$RECORD->get($NAME_FIELD)}</span>&nbsp;
+									<span class="{$NAME_FIELD}">{decode_html($RECORD->get($NAME_FIELD))}</span>&nbsp;
 								{/if}
 							{/foreach}
 						</span>

layouts/v7/modules/Vtiger/EmailPreview.tpl

@@ -146,7 +146,7 @@
 							</div>
 						</div>
 					</div>
-					<textarea style="display:none;" id="iframeDescription">{$RECORD->get('description')}</textarea>
+					<textarea style="display:none;" id="iframeDescription">{decode_html($RECORD->get('description'))}</textarea>
 					<div class="row email-info-row">
 						<div class="col-lg-2" style="padding-right:10px;">
 							<div class="pull-right">{vtranslate('LBL_DESCRIPTION',$MODULE)}</div>

layouts/v7/modules/Vtiger/Header.tpl

@@ -59,7 +59,7 @@
             var _USERMETA;
             {if $CURRENT_USER_MODEL}
                _USERMETA =  { 'id' : "{$CURRENT_USER_MODEL->get('id')}", 'menustatus' : "{$CURRENT_USER_MODEL->get('leftpanelhide')}", 
-                              'currency' : "{$USER_CURRENCY_SYMBOL}", 'currencySymbolPlacement' : "{$CURRENT_USER_MODEL->get('currency_symbol_placement')}",
+                              'currency' : "{decode_html($USER_CURRENCY_SYMBOL)}", 'currencySymbolPlacement' : "{$CURRENT_USER_MODEL->get('currency_symbol_placement')}",
                           'currencyGroupingPattern' : "{$CURRENT_USER_MODEL->get('currency_grouping_pattern')}", 'truncateTrailingZeros' : "{$CURRENT_USER_MODEL->get('truncate_trailing_zeros')}",'userlabel':"{decode_html($CURRENT_USER_MODEL->get('userlabel'))}",};
             {/if}
 		</script>

layouts/v7/modules/Vtiger/ListColumnsEdit.tpl

@@ -67,7 +67,7 @@
 																{if $FIELD_MODEL->getDisplayType() eq '6'}
 																	{continue}
 																{/if}
-																<div class="instafilta-target item {if array_key_exists($FIELD_MODEL->getCustomViewColumnName(), $SELECTED_FIELDS)}hide{/if}" data-cv-columnname="{$FIELD_MODEL->getCustomViewColumnName()}" data-columnname='{$FIELD_MODEL->get('column')}' data-field-id='{$FIELD_MODEL->getId()}'>
+																<div class="instafilta-target item {if array_key_exists(decode_html($FIELD_MODEL->getCustomViewColumnName()), $SELECTED_FIELDS)}hide{/if}" data-cv-columnname="{$FIELD_MODEL->getCustomViewColumnName()}" data-columnname='{$FIELD_MODEL->get('column')}' data-field-id='{$FIELD_MODEL->getId()}'>
 																	<span class="fieldLabel">{vtranslate($FIELD_MODEL->get('label'),$FIELD_MODULE_NAME)}</span>
 																</div>
 															{/foreach} 

layouts/v7/modules/Vtiger/PicklistColorMap.tpl

@@ -16,7 +16,7 @@
             {/if}
             {assign var=PICKLIST_COLOR_MAP value=Settings_Picklist_Module_Model::getPicklistColorMap($FIELD_NAME, true)}
             {foreach item=PICKLIST_COLOR key=PICKLIST_VALUE from=$PICKLIST_COLOR_MAP}
-                {assign var=PICKLIST_TEXT_COLOR value=decode_html(Settings_Picklist_Module_Model::getTextColor($PICKLIST_COLOR))}
+                {assign var=PICKLIST_TEXT_COLOR value= decode_html(Settings_Picklist_Module_Model::getTextColor($PICKLIST_COLOR))}
                 {assign var=CONVERTED_PICKLIST_VALUE value=Vtiger_Util_Helper::convertSpaceToHyphen($PICKLIST_VALUE)}
                     .picklist-{$FIELD_MODEL->getId()}-{Vtiger_Util_Helper::escapeCssSpecialCharacters($CONVERTED_PICKLIST_VALUE)} {
                         background-color: {$PICKLIST_COLOR};

layouts/v7/modules/Vtiger/QuickViewCommentsList.tpl

@@ -17,7 +17,7 @@
                 <div class="recentCommentsBody row">
                     <br>
                     {foreach key=index item=COMMENT from=$COMMENTS}
-                        {assign var=CREATOR_NAME value=$COMMENT->getCommentedByName()}
+                        {assign var=CREATOR_NAME value={decode_html($COMMENT->getCommentedByName())}}
                         <div class="commentDetails">
                             <div class="singleComment">
                                 {assign var=PARENT_COMMENT_MODEL value=$COMMENT->getParentCommentModel()}

layouts/v7/modules/Vtiger/uitypes/OwnerFieldSearchView.tpl

@@ -40,7 +40,7 @@
         {if count($ALL_ACTIVEGROUP_LIST) gt 0}
 		<optgroup label="{vtranslate('LBL_GROUPS')}">
 			{foreach key=OWNER_ID item=OWNER_NAME from=$ALL_ACTIVEGROUP_LIST}
-				<option value="{$OWNER_NAME}" data-picklistvalue= '{$OWNER_NAME}' {if in_array(trim($OWNER_NAME),$SEARCH_VALUES)} selected {/if}
+				<option value="{$OWNER_NAME}" data-picklistvalue= '{$OWNER_NAME}' {if in_array(trim(decode_html($OWNER_NAME)),$SEARCH_VALUES)} selected {/if}
 					{if array_key_exists($OWNER_ID, $ACCESSIBLE_GROUP_LIST)} data-recordaccess=true {else} data-recordaccess=false {/if} >
 				{$OWNER_NAME}
 				</option>

layouts/v7/modules/Vtiger/uitypes/OwnerGroupFieldSearchView.tpl

@@ -26,7 +26,7 @@
 		<select class="select2 listSearchContributor {$ASSIGNED_USER_ID}"name="{$ASSIGNED_USER_ID}" multiple id="group_id" style="display:none">
 			{if count($ALL_ACTIVEGROUP_LIST) gt 0}
 				{foreach key=OWNER_ID item=OWNER_NAME from=$ALL_ACTIVEGROUP_LIST}
-					<option value="{$OWNER_NAME}" data-picklistvalue= '{$OWNER_NAME}' {if in_array(trim($OWNER_NAME),$SEARCH_VALUES)} selected {/if}
+					<option value="{$OWNER_NAME}" data-picklistvalue= '{$OWNER_NAME}' {if in_array(trim(decode_html($OWNER_NAME)),$SEARCH_VALUES)} selected {/if}
 							{if array_key_exists($OWNER_ID, $ACCESSIBLE_GROUP_LIST)} data-recordaccess=true {else} data-recordaccess=false {/if} >
 						{$OWNER_NAME}
 					</option>

layouts/v7/modules/Vtiger/uitypes/String.tpl

@@ -16,7 +16,7 @@
 	{if (!$FIELD_NAME)}
 		{assign var="FIELD_NAME" value=$FIELD_MODEL->getFieldName()}
 	{/if}
-	<input id="{$MODULE}_editView_fieldName_{$FIELD_NAME}" type="text" data-fieldname="{$FIELD_NAME}" data-fieldtype="string" class="inputElement {if $FIELD_MODEL->isNameField()}nameField{/if}" name="{$FIELD_NAME}" value="{$FIELD_MODEL->get('fieldvalue')}"
+	<input id="{$MODULE}_editView_fieldName_{$FIELD_NAME}" type="text" data-fieldname="{$FIELD_NAME}" data-fieldtype="string" class="inputElement {if $FIELD_MODEL->isNameField()}nameField{/if}" name="{$FIELD_NAME}" value="{decode_html($FIELD_MODEL->get('fieldvalue'))|htmlentities}"
 		{if $FIELD_MODEL->get('uitype') eq '3' || $FIELD_MODEL->get('uitype') eq '4'|| $FIELD_MODEL->isReadOnly()}
 			{if $FIELD_MODEL->get('uitype') neq '106'}
 				readonly