URI and HTML escape template variables

2013-03-02 18:18:46 +00:00
parent 043eef9d4d
commit 8e9466b64f
19 changed files with 135 additions and 133 deletions
--- a/Netdisco/Changes
+++ b/Netdisco/Changes
@@ -12,9 +12,10 @@
  * Use Path::Class for path and file name construction consistently
  * Avoid use of DNS when looking up devices in DB by IP

-  [BIG FIXES]
+  [BUG FIXES]

  * Search by device port MAC no longer fatal
+  * URI and HTML escape template variables

 2.005000_002 - 2013-02-10

--- a/Netdisco/share/views/ajax/device/addresses.tt
+++ b/Netdisco/share/views/ajax/device/addresses.tt
@@ -11,13 +11,13 @@
  </tbody>
    [% WHILE (row = results.next) %]
    <tr>
-      <td>[% row.alias %]</a>
-      <td>[% row.dns %]</a>
+      <td>[% row.alias | html_entity %]</a>
+      <td>[% row.dns | html_entity %]</a>
      <td class="center_cell"><a class="nd_linkcell"
-        href="[% device_ports %]&q=[% params.q | uri %]&f=[% row.port | uri %]">[% row.port %]</a></td>
-      <td>[% row.device_port.name %]</td>
+        href="[% device_ports %]&q=[% params.q | uri %]&f=[% row.port | uri %]">[% row.port | html_entity %]</a></td>
+      <td>[% row.device_port.name | html_entity %]</td>
      <td><a class="nd_linkcell"
-        href="[% search_device %]&ip=[% row.subnet | uri %]">[% row.subnet %]</a></td>
+        href="[% search_device %]&ip=[% row.subnet | uri %]">[% row.subnet | html_entity %]</a></td>
    </tr>
    [% END %]
  </tbody>
--- a/Netdisco/share/views/ajax/device/details.tt
+++ b/Netdisco/share/views/ajax/device/details.tt
@@ -13,12 +13,12 @@
      [% IF vars.user.port_control %]
      <td class="nd_editable_cell" contenteditable="true"
        data-field="location" data-for-device="[% d.ip %]">
-          [% d.location %]
+          [% d.location | html_entity %]
      </td>
      [% ELSE %]
      <td>
        <a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
-        href="[% search_device %]&location=[% d.location | uri %]">[% d.location %]</a>
+        href="[% search_device %]&location=[% d.location | uri %]">[% d.location | html_entity %]</a>
      </td>
      [% END %]
    </tr>
@@ -30,68 +30,68 @@
      </td>
      [% IF vars.user.port_control %]
      <td class="nd_editable_cell" contenteditable="true"
-        data-field="contact" data-for-device="[% d.ip %]">
-          [% d.contact %]
+        data-field="contact" data-for-device="[% d.ip | html_entity %]">
+          [% d.contact | html_entity %]
      </td>
      [% ELSE %]
-      <td>[% d.contact %]</td>
+      <td>[% d.contact | html_entity %]</td>
      [% END %]
    </tr>
    <tr>
      <td>Vendor / Model</td>
      <td>
        <a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
-        href="[% search_device %]&vendor=[% d.vendor | uri %]">[% d.vendor %]</a>
+        href="[% search_device %]&vendor=[% d.vendor | uri %]">[% d.vendor | html_entity %]</a>
        /
        <a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
-        href="[% search_device %]&model=[% d.model | uri %]">[% d.model %]</a>
+        href="[% search_device %]&model=[% d.model | uri %]">[% d.model | html_entity %]</a>
      </td>
    </tr>
    <tr>
      <td>OS / Version</td>
-      <td>[% d.os %] /
+      <td>[% d.os | html_entity %] /
        <a rel="tooltip" data-placement="top" data-offset="5"
          data-title="Find Similar Devices"
-          href="[% search_device %]&os_ver=[% d.os_ver | uri %]">[% d.os_ver %]</a>
+          href="[% search_device %]&os_ver=[% d.os_ver | uri %]">[% d.os_ver | html_entity %]</a>
      </td>
    </tr>
    <tr>
      <td>Serial Number</td>
-      <td>[% d.serial %]</td>
+      <td>[% d.serial | html_entity %]</td>
    </tr>
    <tr>
      <td>Description</td>
-      <td>[% d.description.replace(', ',",<br/>") %]</td>
+      <td>[% d.description | html_entity | html_line_break %]</td>
    </tr>
    <tr>
      <td>Uptime</td>
-      <td>[% d.uptime_age %]</td>
+      <td>[% d.uptime_age | html_entity %]</td>
    </tr>
    <tr>
      <td>Last Discover</td>
-      <td>[% d.last_discover_stamp %]</td>
+      <td>[% d.last_discover_stamp | html_entity %]</td>
    </tr>
    <tr>
      <td>Last Arpnip</td>
-      <td>[% d.last_arpnip_stamp %]</td>
+      <td>[% d.last_arpnip_stamp | html_entity %]</td>
    </tr>
    <tr>
      <td>Last Macsuck</td>
-      <td>[% d.last_macsuck_stamp %]</td>
+      <td>[% d.last_macsuck_stamp | html_entity %]</td>
    </tr>
    <tr>
      <td>Hardware Status</td>
-      <td>Fan: [% d.fan %]
-        <br/>PS1 [[% d.ps1_type %]]: [% d.ps1_status %]
-        <br/>PS2 [[% d.ps2_type %]]: [% d.ps2_status %]</td>
+      <td>Fan: [% d.fan | html_entity %]
+        <br/>PS1 [[% d.ps1_type | html_entity %]]: [% d.ps1_status | html_entity %]
+        <br/>PS2 [[% d.ps2_type | html_entity %]]: [% d.ps2_status | html_entity %]</td>
    </tr>
    <tr>
      <td>MAC Address</td>
-      <td>[% d.mac %]</td>
+      <td>[% d.mac | html_entity %]</td>
    </tr>
    <tr>
      <td>VTP Domain</td>
-      <td>[% d.vtp_domain %]</td>
+      <td>[% d.vtp_domain | html_entity %]</td>
    </tr>
  </tbody>
 </table>
--- a/Netdisco/share/views/ajax/device/ports.tt
+++ b/Netdisco/share/views/ajax/device/ports.tt
@@ -6,7 +6,7 @@
      [% NEXT IF item.name == 'c_admin' %]
      [% NEXT IF item.name == 'c_nodes' AND params.c_nodes AND params.c_neighbors %]
        [% NEXT UNLESS params.${item.name} %]
-        <th[% ' class="center_cell"' IF NOT loop.first %]>[% item.label %]</th>
+        <th[% ' class="center_cell"' IF NOT loop.first %]>[% item.label | html_entity %]</th>
      [% END %]
    </tr>
  </thead>
@@ -29,13 +29,13 @@
      [% IF vars.user.port_control AND params.c_admin %]
      [% IF row.up_admin == 'up' %]
      <td nowrap class="nd_editable_cell" data-action="down"
-        data-field="c_port" data-for-device="[% device %]" data-for-port="[% row.port | html_entity %]">
+        data-field="c_port" data-for-device="[% device | html_entity %]" data-for-port="[% row.port | html_entity %]">
        <i class="icon-hand-down nd_hand_icon"
          rel="tooltip" data-placement="top" data-offset="3"
          data-animation="" data-title="Click to Disable"></i>
      [% ELSE %]
      <td nowrap class="nd_editable_cell" data-action="up"
-        data-field="c_port" data-for-device="[% device %]" data-for-port="[% row.port | html_entity %]">
+        data-field="c_port" data-for-device="[% device | html_entity %]" data-for-port="[% row.port | html_entity %]">
        <i class="icon-hand-up nd_hand_icon"
          rel="tooltip" data-placement="top" data-offset="3"
          data-animation="" data-title="Click to Enable"></i>
@@ -72,7 +72,7 @@
      [% IF params.c_name %]
      [% IF vars.user.port_control AND params.c_admin %]
      <td nowrap class="center_cell nd_editable_cell" contenteditable="true"
-          data-field="c_name" data-for-device="[% device %]" data-for-port="[% row.port | html_entity %]">
+          data-field="c_name" data-for-device="[% device | html_entity %]" data-for-port="[% row.port | html_entity %]">
      <i class="icon-edit nd_edit_icon"></i>
      [% ELSE %]
      <td nowrap class="center_cell">
@@ -98,7 +98,7 @@
      [% IF params.c_vlan %]
      [% IF vars.user.port_control AND params.c_admin %]
      <td class="center_cell nd_editable_cell" contenteditable="true"
-        data-field="c_vlan" data-for-device="[% device %]" data-for-port="[% row.port | html_entity %]">
+        data-field="c_vlan" data-for-device="[% device | html_entity %]" data-for-port="[% row.port | html_entity %]">
      <i class="icon-edit nd_edit_icon"></i>
      <div class="nd_editable_cell_content">
        [% IF row.vlan %][% row.vlan | html_entity %][% END %]
@@ -140,7 +140,7 @@
          [% IF row.power.admin == 'true' %]
            [% IF vars.user.port_control AND params.c_admin %]
              <td nowrap data-action="false"
-                data-field="c_power" data-for-device="[% device %]"
+                data-field="c_power" data-for-device="[% device | html_entity %]"
                data-for-port="[% row.port | html_entity %]">

                <i class="icon-off nd_power_icon nd_power_on"
@@ -152,15 +152,15 @@
            [% END %]
                <span>
                [% IF row.power.power > 0 %]
-                  [% row.power.power %]&nbsp;mW
+                  [% row.power.power | html_entity %]&nbsp;mW
                [% ELSE %]
-                  ([% row.power.status %])
+                  ([% row.power.status | html_entity %])
                [% END %]
                </span>
          [% ELSE %]
            [% IF vars.user.port_control AND params.c_admin %]
              <td nowrap data-action="true"
-                data-field="c_power" data-for-device="[% device %]"
+                data-field="c_power" data-for-device="[% device | html_entity %]"
                data-for-port="[% row.port | html_entity %]">

                <i class="icon-off nd_power_icon"
@@ -183,29 +183,29 @@
          [% IF row.neighbor %]
          <a href="[% uri_for('/device',
                self_options) %]&q=[% row.neighbor.dns || row.neighbor.ip | uri %]&f=[% row.remote_port | uri %]">
-            [% row.neighbor.dns.remove(settings.domain_suffix) || row.neighbor.ip %]
+            [% row.neighbor.dns.remove(settings.domain_suffix) || row.neighbor.ip | html_entity %]
            ([% row.remote_port | html_entity %])</a>
          [% ELSE %]
          <span class="label label-important">N</span>
          <a href="[% search_node %]&q=[% row.remote_ip | uri %]">
-            [% row.remote_ip %] (port: [% row.remote_port %]
-            id: [% (row.remote_type _ ' / ') IF row.remote_type %][% row.remote_id %])</a>
+            [% row.remote_ip | html_entity %] (port: [% row.remote_port | html_entity %]
+            id: [% (row.remote_type _ ' / ') IF row.remote_type %][% row.remote_id | html_entity %])</a>
          [% END %]
        [% END %]
        [% IF params.c_nodes %]
        [% FOREACH node IN row.$nodes %]
          [% '<br/>' IF row.remote_ip OR NOT loop.first %]
          [% '<span class="label label-warning">A</span> &nbsp;' IF NOT node.active %]
-          <a href="[% search_node %]&q=[% node.mac | uri %]">[% node.mac %]</a>
+          <a href="[% search_node %]&q=[% node.mac | uri %]">[% node.mac | html_entity %]</a>
          [% ' (' _ node.time_last_age _ ')' IF params.n_age %]
          [% IF params.n_ip %]
            [% FOREACH ip IN node.ips %]
            <br/>&nbsp; [% '<span class="label label-warning">A</span> &nbsp;' IF NOT ip.active %]
              [% SET dns = ip.dns %]
              [% IF dns %]
-              <a href="[% search_node %]&q=[% ip.ip | uri %]">[% dns %] ([% ip.ip %])</a>
+              <a href="[% search_node %]&q=[% ip.ip | uri %]">[% dns %] ([% ip.ip | html_entity %])</a>
              [% ELSE %]
-              <a href="[% search_node %]&q=[% ip.ip | uri %]">[% ip.ip %]</a>
+              <a href="[% search_node %]&q=[% ip.ip | uri %]">[% ip.ip | html_entity %]</a>
              [% END %]
            [% END %]
          [% END %]
--- a/Netdisco/share/views/ajax/search/device.tt
+++ b/Netdisco/share/views/ajax/search/device.tt
@@ -14,15 +14,14 @@
  </tbody>
    [% WHILE (row = results.next) %]
    <tr>
-      <td><a href="[% uri_for('/device') %]?q=[% row.dns || row.ip %]">[% row.dns || row.ip %]</a></td>
-      <td>[% row.contact %]</td>
-      <td>[% row.location %]</td>
-      <td>[% row.name %]</td>
-      <!-- <td>[% row.description.substr(0, 100) %][% ' &hellip;' IF row.description.length > 100 %]</td> -->
-      <td>[% row.model %]</td>
-      <td>[% row.os_ver %]</td>
-      <td>[% row.ip %]</td>
-      <td>[% row.serial %]</td>
+      <td><a href="[% uri_for('/device') %]?q=[% row.dns || row.ip | uri %]">[% row.dns || row.ip | html_entity %]</a></td>
+      <td>[% row.contact | html_entity %]</td>
+      <td>[% row.location | html_entity %]</td>
+      <td>[% row.name | html_entity %]</td>
+      <td>[% row.model | html_entity %]</td>
+      <td>[% row.os_ver | html_entity %]</td>
+      <td>[% row.ip | html_entity %]</td>
+      <td>[% row.serial | html_entity %]</td>
    </tr>
    [% END %]
  </tbody>
--- a/Netdisco/share/views/ajax/search/node_by_ip.tt
+++ b/Netdisco/share/views/ajax/search/node_by_ip.tt
@@ -17,18 +17,18 @@
    [% WHILE (row = macs.next) %]
    <tr>
      <td><a class="nd_linkcell"
-        href="[% search_node %]&q=[% row.mac | uri %]">[% row.mac %]</a></td>
+        href="[% search_node %]&q=[% row.mac | uri %]">[% row.mac | html_entity %]</a></td>
      [% IF params.vendor %]
-      <td>[% row.oui.company %]</td>
+      <td>[% row.oui.company | html_entity %]</td>
      [% END %]
      <td>IP &rarr; MAC</td>
-      <td><a href="[% search_node %]&q=[% row.ip | uri %]">[% row.ip %]</a>
+      <td><a href="[% search_node %]&q=[% row.ip | uri %]">[% row.ip | html_entity %]</a>
        [% ' <span class="label label-warning">A</span>' IF NOT row.active %]
        [% ' (' _ row.dns.remove(settings.domain_suffix) _ ')' IF row.dns %]
      </td>
      [% IF params.stamps %]
-      <td>[% row.time_first_stamp %]</td>
-      <td>[% row.time_last_stamp %]</td>
+      <td>[% row.time_first_stamp | html_entity %]</td>
+      <td>[% row.time_last_stamp | html_entity %]</td>
      [% END %]
    </tr>
    [% FOREACH node IN row.node_sightings(archive_filter) %]
@@ -39,16 +39,16 @@
      [% END %]
      <td>Switch Port</td>
      <td><a class="nd_linkcell"
-          href="[% device_ports %]&q=[% node.device.dns || node.switch %]&f=[% node.port | uri %]&c_nodes=on&c_neighbors=on">
-          [% node.switch %] - [% node.port %]</a>
+          href="[% device_ports %]&q=[% node.device.dns || node.switch | uri %]&f=[% node.port | uri %]&c_nodes=on&c_neighbors=on">
+          [% node.switch | html_entity %] - [% node.port | html_entity %]</a>
        [% ' <span class="label label-warning">A</span>' IF NOT node.active %]
        [% IF node.device.dns AND node.device_port AND node.device_port.name %]
-          ([% node.device.dns %] - [% node.device_port.name %])
+          ([% node.device.dns | html_entity %] - [% node.device_port.name | html_entity %])
        [% END %]
      </td>
      [% IF params.stamps %]
-      <td>[% node.time_first_stamp %]</td>
-      <td>[% node.time_last_stamp %]</td>
+      <td>[% node.time_first_stamp | html_entity %]</td>
+      <td>[% node.time_last_stamp | html_entity %]</td>
      [% END %]
    </tr>
    [% END %]
@@ -59,13 +59,13 @@
      <td>&nbsp;</td>
      [% END %]
      <td>MAC &rarr; IP</td>
-      <td><a href="[% search_node %]&q=[% nodeip.ip | uri %]">[% nodeip.ip %]</a>
+      <td><a href="[% search_node %]&q=[% nodeip.ip | uri %]">[% nodeip.ip | html_entity %]</a>
        [% ' <span class="label label-warning">A</span>' IF NOT nodeip.active %]
        [% ' (' _ nodeip.dns.remove(settings.domain_suffix) _ ')' IF nodeip.dns %]
      </td>
      [% IF params.stamps %]
-      <td>[% nodeip.time_first_stamp %]</td>
-      <td>[% nodeip.time_last_stamp %]</td>
+      <td>[% nodeip.time_first_stamp | html_entity %]</td>
+      <td>[% nodeip.time_last_stamp | html_entity %]</td>
      [% END %]
    </tr>
    [% END %]
--- a/Netdisco/share/views/ajax/search/node_by_mac.tt
+++ b/Netdisco/share/views/ajax/search/node_by_mac.tt
@@ -20,7 +20,7 @@
      <td>
        [% IF first_row %]
        <a class="nd_linkcell"
-          href="[% search_node %]&q=[% row.mac | uri %]">[% row.mac %]</a>
+          href="[% search_node %]&q=[% row.mac | uri %]">[% row.mac | html_entity %]</a>
        [% ELSE %]
        &nbsp;
        [% END %]
@@ -28,20 +28,20 @@
      [% IF params.vendor %]
      <td>
        [% IF first_row %]
-        [% row.oui.company %]
+        [% row.oui.company | html_entity %]
        [% ELSE %]
        &nbsp;
        [% END %]
      </td>
      [% END %]
      <td>MAC &rarr; IP</td>
-      <td><a href="[% search_node %]&q=[% row.ip | uri %]">[% row.ip %]</a>
+      <td><a href="[% search_node %]&q=[% row.ip | uri %]">[% row.ip | html_entity %]</a>
        [% ' <span class="label label-warning">A</span>' IF NOT row.active %]
        [% ' (' _ row.dns.remove(settings.domain_suffix) _ ')' IF row.dns %]
      </td>
      [% IF params.stamps %]
-      <td>[% row.time_first_stamp %]</td>
-      <td>[% row.time_last_stamp %]</td>
+      <td>[% row.time_first_stamp | html_entity %]</td>
+      <td>[% row.time_last_stamp | html_entity %]</td>
      [% END %]
    </tr>
    [% SET first_row = 0 %]
@@ -51,7 +51,7 @@
      <td>
        [% IF first_row %]
        <a class="nd_linkcell"
-          href="[% search_node %]&q=[% node.mac | uri %]">[% node.mac %]</a>
+          href="[% search_node %]&q=[% node.mac | uri %]">[% node.mac | html_entity %]</a>
        [% ELSE %]
        &nbsp;
        [% END %]
@@ -59,7 +59,7 @@
      [% IF params.vendor %]
      <td>
        [% IF first_row %]
-        [% node.oui.company %]
+        [% node.oui.company | html_entity %]
        [% ELSE %]
        &nbsp;
        [% END %]
@@ -67,16 +67,16 @@
      [% END %]
      <td>Switch Port</td>
      <td><a class="nd_linkcell"
-            href="[% device_ports %]&q=[% node.device.dns || node.switch %]&f=[% node.port %]&c_nodes=on&c_neighbors=on">
-            [% node.switch %] - [% node.port %]</a>
+            href="[% device_ports %]&q=[% node.device.dns || node.switch | uri %]&f=[% node.port | uri %]&c_nodes=on&c_neighbors=on">
+            [% node.switch | html_entity %] - [% node.port | html_entity %]</a>
        [% ' <span class="label label-warning">A</span>' IF NOT node.active %]
        [% IF node.device.dns AND node.device_port AND node.device_port.name %]
-          ([% node.device.dns %] - [% node.device_port.name %])
+          ([% node.device.dns | html_entity %] - [% node.device_port.name | html_entity %])
        [% END %]
      </td>
      [% IF params.stamps %]
-      <td>[% node.time_first_stamp %]</td>
-      <td>[% node.time_last_stamp %]</td>
+      <td>[% node.time_first_stamp | html_entity %]</td>
+      <td>[% node.time_last_stamp | html_entity %]</td>
      [% END %]
    </tr>
    [% SET first_row = 0 %]
@@ -86,7 +86,7 @@
      <td>
        [% IF first_row %]
        <a class="nd_linkcell"
-          href="[% search_node %]&q=[% port.mac | uri %]">[% port.mac %]</a>
+          href="[% search_node %]&q=[% port.mac | uri %]">[% port.mac | html_entity %]</a>
        [% ELSE %]
        &nbsp;
        [% END %]
@@ -94,7 +94,7 @@
      [% IF params.vendor %]
      <td>
        [% IF first_row %]
-        [% port.oui.company %]
+        [% port.oui.company | html_entity %]
        [% ELSE %]
        &nbsp;
        [% END %]
@@ -102,15 +102,15 @@
      [% END %]
      <td>Switch Port</td>
      <td><a class="nd_linkcell"
-            href="[% device_ports %]&q=[% port.device.dns || port.ip %]&f=[% port.port %]&c_mac=on&c_nodes=on&c_neighbors=on">
-            [% port.ip %] - [% port.descr %]</a>
+            href="[% device_ports %]&q=[% port.device.dns || port.ip | uri %]&f=[% port.port | uri %]&c_mac=on&c_nodes=on&c_neighbors=on">
+            [% port.ip | html_entity %] - [% port.descr | html_entity %]</a>
        [% IF port.device.dns AND port.name %]
-          ([% port.device.dns %] - [% port.name %])
+          ([% port.device.dns | html_entity %] - [% port.name | html_entity %])
        [% END %]
      </td>
      [% IF params.stamps %]
-      <td>[% port.creation %]</td>
-      <td>[% port.creation %]</td>
+      <td>[% port.creation | html_entity %]</td>
+      <td>[% port.creation | html_entity %]</td>
      [% END %]
    </tr>
    [% SET first_row = 0 %]
--- a/Netdisco/share/views/ajax/search/port.tt
+++ b/Netdisco/share/views/ajax/search/port.tt
@@ -10,12 +10,13 @@
  </tbody>
    [% WHILE (row = results.next) %]
    <tr>
-      <td>[% row.name %]</td>
-      <td><a href="[% device_ports %]&q=[% row.device.dns || row.ip %]&f=[% row.port %]">[% row.ip %] [ [% row.port %] ]</a>
+      <td>[% row.name | html_entity %]</td>
+      <td><a href="[% device_ports %]&q=[% row.device.dns || row.ip | uri %]&f=[% row.port | uri %]">
+        [% row.ip | html_entity %] [ [% row.port | html_entity %] ]</a>
        [% ' (' _ row.device.dns _ ')' IF row.device.dns %]
      </td>
-      <td>[% row.descr %]</td>
-      <td>[% row.vlan %]</td>
+      <td>[% row.descr | html_entity %]</td>
+      <td>[% row.vlan | html_entity %]</td>
    </tr>
    [% END %]
  </tbody>
--- a/Netdisco/share/views/ajax/search/vlan.tt
+++ b/Netdisco/share/views/ajax/search/vlan.tt
@@ -13,17 +13,17 @@
    [% WHILE (row = results.next) %]
    <tr>
      <td><a class="nd_linkcell nd_stealthlink"
-        href="[% device_ports %]&q=[% row.dns || row.ip %]&f=[% row.vlan.vlan %]">[% row.vlan.vlan %]</a></td>
+        href="[% device_ports %]&q=[% row.dns || row.ip | uri %]&f=[% row.vlan.vlan | uri %]">[% row.vlan.vlan | html_entity %]</a></td>
      <td><a class="nd_linkcell"
-        href="[% device_ports %]&q=[% row.dns || row.ip %]&f=[% row.vlan.vlan %]">[% row.dns || row.ip %]</a></td>
+        href="[% device_ports %]&q=[% row.dns || row.ip | uri %]&f=[% row.vlan.vlan | uri %]">[% row.dns || row.ip | html_entity %]</a></td>
      <td><a class="nd_linkcell nd_stealthlink"
-        href="[% device_ports %]&q=[% row.dns || row.ip %]&f=[% row.vlan.vlan %]">[% row.vlan.description %]</a></td>
+        href="[% device_ports %]&q=[% row.dns || row.ip | uri %]&f=[% row.vlan.vlan | uri %]">[% row.vlan.description | html_entity %]</a></td>
      <td><a class="nd_linkcell nd_stealthlink"
-        href="[% device_ports %]&q=[% row.dns || row.ip %]&f=[% row.vlan.vlan %]">[% row.model %]</a></td>
+        href="[% device_ports %]&q=[% row.dns || row.ip | uri %]&f=[% row.vlan.vlan | uri %]">[% row.model | html_entity %]</a></td>
      <td><a class="nd_linkcell nd_stealthlink"
-        href="[% device_ports %]&q=[% row.dns || row.ip %]&f=[% row.vlan.vlan %]">[% row.os %]</a></td>
+        href="[% device_ports %]&q=[% row.dns || row.ip | uri %]&f=[% row.vlan.vlan | uri %]">[% row.os | html_entity %]</a></td>
      <td><a class="nd_linkcell nd_stealthlink"
-        href="[% device_ports %]&q=[% row.dns || row.ip %]&f=[% row.vlan.vlan %]">[% row.vendor %]</a></td>
+        href="[% device_ports %]&q=[% row.dns || row.ip | uri %]&f=[% row.vlan.vlan | uri %]">[% row.vendor | html_entity %]</a></td>
    </tr>
    [% END %]
  </tbody>
--- a/Netdisco/share/views/device.tt
+++ b/Netdisco/share/views/device.tt
@@ -29,8 +29,8 @@
            <script type="text/javascript">has_sidebar["[% tab.id %]"] = 1;</script>
            [% CATCH %]
            <!-- no "[% tab.id %]" search options -->
-            <input name="q" value="[% params.q %]" type="hidden"/>
-            <input name="f" value="[% params.f %]" type="hidden"/>
+            <input name="q" value="[% params.q | html_entity %]" type="hidden"/>
+            <input name="f" value="[% params.f | html_entity %]" type="hidden"/>
            <script type="text/javascript">has_sidebar["[% tab.id %]"] = 0;</script>
            [% END %]
          </form>
@@ -45,7 +45,7 @@
      [% FOREACH tab IN settings.device_tabs %]
      <li[% ' class="active"' IF params.tab == tab.id %]><a id="[% tab.id %]_link" href="#[% tab.id %]_pane">[% tab.label %]</a></li>
      [% END %]
-      <span id="nd_device_name">[% d.dns || d.name %]</span>
+      <span id="nd_device_name">[% d.dns || d.name | html_entity %]</span>
    </ul>
    <div class="tab-content">
      [% FOREACH tab IN settings.device_tabs %]
--- a/Netdisco/share/views/index.tt
+++ b/Netdisco/share/views/index.tt
@@ -37,7 +37,7 @@
            <button type="submit" class="btn btn-info">Log In</button>
          </div>
          [% IF vars.requested_path %]
-          <input type="hidden" name="path" value="[% vars.requested_path %]"/>
+          <input type="hidden" name="path" value="[% vars.requested_path | html_entity %]"/>
          [% END %]
        </form>
        [% ELSE %]
--- a/Netdisco/share/views/inventory.tt
+++ b/Netdisco/share/views/inventory.tt
@@ -17,15 +17,15 @@
          <tr>
            <th>
              <a class="nd_linkcell"
-                href="[% search_device %]&vendor=[% platform.vendor %]">
-                  [% platform.vendor %]</a>
+                href="[% search_device %]&vendor=[% platform.vendor | uri %]">
+                  [% platform.vendor | html_entity %]</a>
            </th>
            <th>
              <a class="nd_linkcell"
-                href="[% search_device %]&model=[% platform.model %]">
-                  [% platform.model %]</a>
+                href="[% search_device %]&model=[% platform.model | uri %]">
+                  [% platform.model | html_entity %]</a>
            </th>
-            <th>[% platform.get_column('count') %]</th>
+            <th>[% platform.get_column('count') | html_entity %]</th>
          </tr>
          [% END %]
        </tbody>
@@ -45,13 +45,13 @@
          [% FOREACH release IN releases.all %]
          [% NEXT UNLESS (release.os AND release.os_ver) %]
          <tr>
-            <th>[% release.os %]</th>
+            <th>[% release.os | html_entity %]</th>
            <th>
              <a class="nd_linkcell"
-                href="[% search_device %]&os_ver=[% release.os_ver %]">
-                  [% release.os_ver %]</a>
+                href="[% search_device %]&os_ver=[% release.os_ver | uri %]">
+                  [% release.os_ver | html_entity %]</a>
            </th>
-            <th>[% release.get_column('count') %]</th>
+            <th>[% release.get_column('count') | html_entity %]</th>
          </tr>
          [% END %]
        </tbody>
--- a/Netdisco/share/views/layouts/main.tt
+++ b/Netdisco/share/views/layouts/main.tt
@@ -2,7 +2,7 @@
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
-  <meta http-equiv="Content-type" content="text/html; charset=[% settings.charset %]" />
+  <meta http-equiv="Content-type" content="text/html; charset=[% settings.charset | html_entity %]" />
  <link rel="shortcut icon" href="#" />
  <title>Netdisco</title>

@@ -54,7 +54,7 @@
      <ul class="nav">
        [% FOREACH ni IN settings.navbar_items %]
        <li[% ' class="active"' IF vars.nav == ni.id %]>
-          <a href="[% uri_for(ni.path) %]">[% ni.label %]</a>
+          <a href="[% uri_for(ni.path) %]">[% ni.label | html_entity %]</a>
        </li>
        [% END %]
        [% IF more_dd.size %]
@@ -63,7 +63,7 @@
            More <b class="caret"></b></a>
          <ul class="dropdown-menu">
            [% FOREACH title IN more_dd.keys.sort %]
-            <li><a href="[% uri_for(more_dd.$title) %]">[% title %]</a></li>
+            <li><a href="[% uri_for(more_dd.$title) %]">[% title | html_entity %]</a></li>
            [% END %]
          </ul>
        </li> <!-- /dropdown -->
@@ -85,10 +85,10 @@
          [% ELSE %]
            <i class="icon-user"></i>
          [% END %]
-            [% session.user %] <b class="caret"></b></a>
+            [% session.user | html_entity %] <b class="caret"></b></a>
          <ul class="dropdown-menu">
            [% FOREACH item IN user_dd %]
-            <li><a href="[% uri_for(item.link) %]">[% item.title %]</a></li>
+            <li><a href="[% uri_for(item.link) %]">[% item.title | html_entity %]</a></li>
            [% END %]
          </ul>
        </li> <!-- /dropdown -->
--- a/Netdisco/share/views/search.tt
+++ b/Netdisco/share/views/search.tt
@@ -17,7 +17,7 @@
            <script type="text/javascript">has_sidebar["[% tab.id %]"] = 1;</script>
            [% CATCH %]
            <!-- no "[% tab.id %]" search options -->
-            <input name="q" value="[% params.q %]" type="hidden"/>
+            <input name="q" value="[% params.q | html_entity %]" type="hidden"/>
            <script type="text/javascript">has_sidebar["[% tab.id %]"] = 0;</script>
            [% END %]
          </form>
--- a/Netdisco/share/views/sidebar/device/ports.tt
+++ b/Netdisco/share/views/sidebar/device/ports.tt
@@ -1,11 +1,11 @@

-            <input name="q" value="[% params.q %]" type="hidden"/>
+            <input name="q" value="[% params.q | html_entity %]" type="hidden"/>
            <div class="clearfix">
              <a class="field_clear_icon" href="#"
                rel="tooltip" data-placement="top" data-offset="3" data-title="Show all Ports">
                <img src="[% uri_base %]/images/tango_sweep.png"/></a>
              <input id="nd_port_query" placeholder="Port, Name or VLAN"
-                name="f" value="[% params.f %]" type="text"
+                name="f" value="[% params.f | html_entity %]" type="text"
                rel="tooltip" data-placement="left" data-offset="5" data-title="Filter by Port, Name or VLAN"/>
            </div>
            <div class="clearfix">
@@ -55,12 +55,12 @@
                  [% NEXT IF item.name == 'c_admin' AND NOT vars.user.port_control %]
                  <li>
                    <label class="checkbox">
-                      <input type="checkbox" id="[% item.name %]"
-                        name="[% item.name %]"[% ' checked="checked"' IF params.${item.name} %] />
+                      <input type="checkbox" id="[% item.name | html_entity %]"
+                        name="[% item.name | html_entity %]"[% ' checked="checked"' IF params.${item.name} %] />
                      [% IF item.name == 'c_admin' %]
-                        <span class="label label-info">[% item.label %]</span>
+                        <span class="label label-info">[% item.label | html_entity %]</span>
                      [% ELSE %]
-                        [% item.label %]
+                        [% item.label | html_entity %]
                      [% END %]
                    </label>
                  </li>
@@ -110,9 +110,9 @@
                  [% FOREACH item IN vars.connected_properties %]
                  <li>
                    <label class="checkbox">
-                      <input type="checkbox" id="[% item.name %]"
-                        name="[% item.name %]"[% ' checked="checked"' IF params.${item.name} %] />
-                      [% item.label %]
+                      <input type="checkbox" id="[% item.name | html_entity %]"
+                        name="[% item.name | html_entity %]"[% ' checked="checked"' IF params.${item.name} %] />
+                      [% item.label | html_entity %]
                    </label>
                  </li>
                  [% END %]
--- a/Netdisco/share/views/sidebar/search/device.tt
+++ b/Netdisco/share/views/sidebar/search/device.tt
@@ -1,12 +1,12 @@

            <p class="nd_sidebar_title"><em>Device Search Options</em></p>
-            <input name="q" value="[% params.q %]" type="hidden"/>
+            <input name="q" value="[% params.q | html_entity %]" type="hidden"/>
            <div class="clearfix">
              <i data-btn-for="dns" class="field_copy_icon icon-copy icon-large"></i>
              <i id="dns_clear_btn" data-btn-for="dns"
                class="field_clear_icon icon-trash icon-large"></i>
              <input class="nd_side_input" placeholder="DNS"
-                type="text" name="dns" value="[% params.dns %]"
+                type="text" name="dns" value="[% params.dns | html_entity %]"
                rel="tooltip" data-placement="left" data-offset="5" data-title="DNS"/>
            </div>
            <div class="clearfix">
@@ -14,7 +14,7 @@
              <i id="ip_clear_btn" data-btn-for="ip"
                class="field_clear_icon icon-trash icon-large"></i>
              <input class="nd_side_input" placeholder="IP Address"
-                type="text" name="ip" value="[% params.ip %]"
+                type="text" name="ip" value="[% params.ip | html_entity %]"
                rel="tooltip" data-placement="left" data-offset="5" data-title="IP Address"/>
            </div>
            <div class="clearfix">
@@ -22,7 +22,7 @@
              <i id="name_clear_btn" data-btn-for="name"
                class="field_clear_icon icon-trash icon-large"></i>
              <input class="nd_side_input" placeholder="System Name"
-                type="text" name="name" value="[% params.name %]"
+                type="text" name="name" value="[% params.name | html_entity %]"
                rel="tooltip" data-placement="left" data-offset="5" data-title="System Name"/>
            </div>
            <div class="clearfix">
@@ -30,7 +30,7 @@
              <i id="location_clear_btn" data-btn-for="location"
                class="field_clear_icon icon-trash icon-large"></i>
              <input class="nd_side_input" placeholder="Location"
-                type="text" name="location" value="[% params.location %]"
+                type="text" name="location" value="[% params.location | html_entity %]"
                rel="tooltip" data-placement="left" data-offset="5" data-title="Location"/>
            </div>
            <div class="clearfix">
@@ -38,7 +38,7 @@
              <i id="description_clear_btn" data-btn-for="description"
                class="field_clear_icon icon-trash icon-large"></i>
              <input class="nd_side_input" placeholder="Description"
-                type="text" name="description" value="[% params.description %]"
+                type="text" name="description" value="[% params.description | html_entity %]"
                rel="tooltip" data-placement="left" data-offset="5" data-title="Description"/>
            </div>
            <div class="clearfix">
@@ -46,7 +46,7 @@
                multiple="on" name="model"
                rel="tooltip" data-placement="left" data-offset="5" data-title="Model"/>
                [% FOREACH opt IN model_list %]
-                <option[% ' selected="selected"' IF model_lkp.exists(opt) %]>[% opt %]</option>
+                <option[% ' selected="selected"' IF model_lkp.exists(opt) %]>[% opt | html_entity %]</option>
                [% END %]
              </select>
            </div>
@@ -55,7 +55,7 @@
                multiple="on" name="os_ver"
                rel="tooltip" data-placement="left" data-offset="5" data-title="OS Release"/>
                [% FOREACH opt IN os_ver_list %]
-                <option[% ' selected="selected"' IF os_ver_lkp.exists(opt) %]>[% opt %]</option>
+                <option[% ' selected="selected"' IF os_ver_lkp.exists(opt) %]>[% opt | html_entity %]</option>
                [% END %]
              </select>
            </div>
@@ -64,7 +64,7 @@
                multiple="on" name="vendor"
                rel="tooltip" data-placement="left" data-offset="5" data-title="Vendor"/>
                [% FOREACH opt IN vendor_list %]
-                <option[% ' selected="selected"' IF vendor_lkp.exists(opt) %]>[% opt %]</option>
+                <option[% ' selected="selected"' IF vendor_lkp.exists(opt) %]>[% opt | html_entity %]</option>
                [% END %]
              </select>
            </div>
--- a/Netdisco/share/views/sidebar/search/node.tt
+++ b/Netdisco/share/views/sidebar/search/node.tt
@@ -1,6 +1,6 @@

            <p class="nd_sidebar_title"><em>Node Search Options</em></p>
-            <input name="q" value="[% params.q %]" type="hidden"/>
+            <input name="q" value="[% params.q | html_entity %]" type="hidden"/>
            <div class="clearfix input-prepend">
              <label class="add-on">
                <input type="checkbox" id="stamps"
--- a/Netdisco/share/views/sidebar/search/port.tt
+++ b/Netdisco/share/views/sidebar/search/port.tt
@@ -1,6 +1,6 @@

            <p class="nd_sidebar_title"><em>Port Search Options</em></p>
-            <input name="q" value="[% params.q %]" type="hidden"/>
+            <input name="q" value="[% params.q | html_entity %]" type="hidden"/>
            <div class="clearfix input-prepend">
              <label class="add-on">
                <input type="checkbox" id="partial"
--- a/5
+++ b/5
@@ -9,10 +9,8 @@ FRONTEND
  - drop topo file support and use DB only
 * update inventory to use bootstrap accordion
 * UI plugins add template include path
-* logging from web app
 * reports page
 * reports plugin(s)
-* URI escape TT substitutions
 * (jeneric) device module tab


@@ -25,12 +23,15 @@ DAEMON
 CORE
 ====

+* ditch ~/bin
 * pseudo-device support
 * VRF support
 * docs notes
+  - start release notes page
  - plackup -R option
  - localenv
  - Try::Tiny
  - Role::Tiny
  - before and before_template hooks
  - running from git clone of netdisco-ng
+  - plackup --path for relocating