Use unsafe:…|encodeJS to output strings in JavaScript

Author: Cyperghost

com.woltlab.wcf/templates/shared_formFieldDataHandler.tpl

@@ -2,7 +2,7 @@
 	<script data-relocate="true">
 		require([
 			'tslib',
-			'{$field->getJavaScriptDataHandlerModule()}',
+			'{unsafe:$field->getJavaScriptDataHandlerModule()|encodeJS}',
 			'WoltLabSuite/Core/Form/Builder/Manager'
 		], function(
 			tslib,

com.woltlab.wcf/templates/shared_messageFormAttachments.tpl

@@ -23,7 +23,7 @@
 		{jsphrase name='wcf.attachment.moreOptions'}
 
 		require(["WoltLabSuite/Core/Component/Attachment/List"], ({ setup }) => {
-			setup("{if $wysiwygSelector|isset}{$wysiwygSelector}{else}text{/if}");
+			setup("{if $wysiwygSelector|isset}{unsafe:$wysiwygSelector|encodeJS}{else}text{/if}");
 		});
 	</script>
 

com.woltlab.wcf/templates/shared_multipleLanguageInputJavascript.tpl

@@ -5,16 +5,16 @@
 				'wcf.global.button.disabledI18n': '{jslang}wcf.global.button.disabledI18n{/jslang}'
 			});
 
-			var availableLanguages = { {implode from=$availableLanguages key=languageID item=languageName}{@$languageID}: '{$languageName}'{/implode} };
-			var values = { {implode from=$i18nValues[$elementIdentifier] key=languageID item=value}'{@$languageID}': '{$value}'{/implode} };
+			var availableLanguages = { {implode from=$availableLanguages key=languageID item=languageName}{$languageID}: '{$languageName}'{/implode} };
+			var values = { {implode from=$i18nValues[$elementIdentifier] key=languageID item=value}'{$languageID}': '{$value}'{/implode} };
 			
-			var element = elById('{@$elementIdentifier}');
+			var element = elById('{unsafe:$elementIdentifier|encodeJS}');
 			var type = LanguageInput;
 			if (element && element.nodeName === 'TEXTAREA' && element.classList.contains('wysiwygTextarea')) {
 				type = LanguageText;
 			}
 			
-			type['init']('{@$elementIdentifier}', values, availableLanguages, {if $forceSelection}true{else}false{/if});
+			type['init']('{unsafe:$elementIdentifier|encodeJS}', values, availableLanguages, {if $forceSelection}true{else}false{/if});
 		});
 	</script>
 {/if}

com.woltlab.wcf/templates/shared_multiplePagesSelectionFormField.tpl

@@ -3,9 +3,9 @@
 {if $field->getVisibleEverywhereFieldId() !== null}
 	<script data-relocate="true">
 		{
-			const label = document.querySelector('label[for="{$field->getPrefixedId()}"]');
+			const label = document.querySelector('label[for="{unsafe:$field->getPrefixedId()|encodeJS}"]');
 
-			document.querySelectorAll('input[name="{$field->getVisibleEverywhereFieldId()}"]').forEach((input) => {
+			document.querySelectorAll('input[name="{unsafe:$field->getVisibleEverywhereFieldId()|encodeJS}"]').forEach((input) => {
 				input.addEventListener("change", () => {
 					setLabelText(input.value);
 				});
@@ -15,7 +15,7 @@
 				label.innerHTML = parseInt(value) === 0 ? '{unsafe:$field->getLabel()|encodeJS}' : '{unsafe:$field->getInvertedLabel()|encodeJS}';
 			}
 
-			setLabelText(document.querySelector('input[name="{$field->getVisibleEverywhereFieldId()}"]:checked').value);
+			setLabelText(document.querySelector('input[name="{unsafe:$field->getVisibleEverywhereFieldId()|encodeJS}"]:checked').value);
 		}
 	</script>
 {/if}

com.woltlab.wcf/templates/shared_ratingFormField.tpl

@@ -29,7 +29,7 @@
 <script data-relocate="true">
 	require(['WoltLabSuite/Core/Form/Builder/Field/Controller/Rating'], function(FormBuilderFieldRating) {
 		new FormBuilderFieldRating(
-			'{$field->getPrefixedId()}',
+			'{unsafe:$field->getPrefixedId()|encodeJS}',
 			{if $field->getValue() !== null}{$field->getValue()}{else}''{/if}
 		);
 	});

com.woltlab.wcf/templates/shared_wysiwygAttachmentFormField.tpl

@@ -25,7 +25,7 @@
 		{jsphrase name='wcf.attachment.moreOptions'}
 
 		require(["WoltLabSuite/Core/Component/Attachment/List"], ({ setup }) => {
-			setup("{$field->getPrefixedWysiwygId()}");
+			setup("{unsafe:$field->getPrefixedWysiwygId()|encodeJS}");
 		});
 	</script>
 </div>