From baba943e623ba5d1f12f579e87d04c6cb65fb061 Mon Sep 17 00:00:00 2001
From: Alexandre Avenel <avenel.alexandre@gmail.com>
Date: Thu, 16 Feb 2017 23:11:30 +0100
Subject: [PATCH] Fix xss (#173)

Fix #173
Rewrite multi select widget as a template in order to have all values properly escaped.
---
 budget/forms.py                  |  2 +-
 budget/templates/forms.html      | 13 ++++++++++++-
 budget/templates/list_bills.html |  2 +-
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/budget/forms.py b/budget/forms.py
index adf3de76..ac181ece 100644
--- a/budget/forms.py
+++ b/budget/forms.py
@@ -118,7 +118,7 @@ class BillForm(Form):
     payer = SelectField(_("Payer"), validators=[Required()], coerce=int)
     amount = CommaDecimalField(_("Amount paid"), validators=[Required()])
     payed_for = SelectMultipleField(_("For whom?"),
-            validators=[Required()], widget=select_multi_checkbox, coerce=int)
+            validators=[Required()], coerce=int)
     submit = SubmitField(_("Submit"))
     submit2 = SubmitField(_("Submit and add a new one"))
 
diff --git a/budget/templates/forms.html b/budget/templates/forms.html
index af24fe23..8698e372 100644
--- a/budget/templates/forms.html
+++ b/budget/templates/forms.html
@@ -85,7 +85,18 @@
     {{ input(form.what, inline=True) }}
     {{ input(form.payer, inline=True, class="form-control custom-select") }}
     {{ input(form.amount, inline=True) }}
-    {{ input(form.payed_for, inline=True, class="form-check-input") }}
+
+    <div class="form-group row">
+        <label class="col-3" for="payed_for">{{ _("For whom?") }}</label>
+        <div class="controls col-9">
+            <ul id="payed_for" class="inputs-list">
+                <p><a href="#" id="selectall" onclick="selectall()">{{ _("Select all") }}</a> | <a href="#" id="selectnone" onclick="selectnone()">{{_("Select none")}}</a></p>
+            {% for key, value, checked in form.payed_for.iter_choices() %}
+                <p class="form-check"><label for="payed_for-{{key}}" class="form-check-label"><input name="payed_for" type="checkbox" {% if checked %}checked{% endif %} class="form-check-input" value="{{key}}"/><span>{{value}}</span></label></p>
+            {% endfor %}
+            </ul>
+        </div>
+    </div>
     </fieldset>
     <div class="actions">
         {{ form.submit(class="btn btn-primary") }}
diff --git a/budget/templates/list_bills.html b/budget/templates/list_bills.html
index 9421650e..a9af4def 100644
--- a/budget/templates/list_bills.html
+++ b/budget/templates/list_bills.html
@@ -107,7 +107,7 @@
         <thead><tr><th>{{ _("When?") }}</th><th>{{ _("Who paid?") }}</th><th>{{ _("For what?") }}</th><th>{{ _("For whom?") }}</th><th>{{ _("How much?") }}</th><th>{{ _("Actions") }}</th></tr></thead>
     <tbody>
     {% for bill in bills %}
-    <tr owers={{bill.owers|join(',','id')}} payer={{bill.payer.id}}>
+    <tr owers="{{bill.owers|join(',','id')}}" payer="{{bill.payer.id}}">
             <td>{{ bill.date }}</td>
             <td>{{ bill.payer }}</td>
             <td>{{ bill.what }}</td>