Fixing XSS vulnerabilities with issue search and filters

app/view/blocks/issue-list.html

@@ -5,8 +5,8 @@
 </check>
 <form action="{{ @BASE }}/issues" method="get" class="table-responsive filter-form">
 	<check if="{{ !empty(@heading_links_enabled) }}">
-		<input type="hidden" name="orderby" value="{{ !empty(@GET.orderby) ? @GET.orderby : 'priority' }}" />
-		<input type="hidden" name="ascdesc" value="{{ !empty(@GET.ascdesc) ? @GET.ascdesc : 'desc' }}" />
+		<input type="hidden" name="orderby" value="{{ (!empty(@GET.orderby) ? @GET.orderby : 'priority') | esc }}" />
+		<input type="hidden" name="ascdesc" value="{{ (!empty(@GET.ascdesc) ? @GET.ascdesc : 'desc') | esc }}" />
 	</check>
 	<table class="table table-striped table-hover table-condensed issue-list">
 		<thead>
@@ -20,7 +20,7 @@
 						</check>
 					</td>
 					<td>
-						<input type="text" class="form-control input-sm" name="name" value="{{ !empty(@GET.name) ? @GET.name : '' }}">
+						<input type="text" class="form-control input-sm" name="name" value="{{ @@GET.name | esc }}">
 					</td>
 					<td>
 						<select class="form-control input-sm" name="type_id">
@@ -68,7 +68,7 @@
 						</select>
 					</td>
 					<td>
-						<input class="form-control input-sm" name="parent_id" value="{{ !empty(@GET.parent_id) ? @GET.parent_id : '' }}" />
+						<input class="form-control input-sm" name="parent_id" value="{{ @@GET.parent_id | esc }}" />
 					</td>
 					<td>
 						<select class="form-control input-sm" name="author_id">

app/view/blocks/navbar.html

@@ -123,7 +123,7 @@
 
 			<form class="navbar-form navbar-right" role="search" action="{{ @BASE }}/search" method="get">
 				<div class="form-group">
-					<input type="search" name="q" class="form-control input-sm" placeholder="{{ @dict.issue_search }}" value="{{ @@GET.q }}">
+					<input type="search" name="q" class="form-control input-sm" placeholder="{{ @dict.issue_search }}" value="{{ @@GET.q | esc }}">
 				</div>
 				<button type="submit" class="btn btn-default btn-sm hidden-xs">
 					<span class="sr-only">{{ @dict.submit }}</span>

app/view/issues/search.html

@@ -8,7 +8,7 @@
 <include href="blocks/navbar.html" />
 <div class="container-fluid">
 	<p>
-		<a href="{{ @BASE }}/search?q={{ @GET.q }}&amp;closed={{ empty(@GET.closed) }}">{{ empty(@GET.closed) ? 'Include closed issues' : 'Exclude closed issues' }}</a>
+		<a href="{{ @BASE }}/search?q={{ @GET.q | esc }}&amp;closed={{ empty(@GET.closed) }}">{{ empty(@GET.closed) ? 'Include closed issues' : 'Exclude closed issues' }}</a>
 	</p>
 	<include href="blocks/issue-list.html" />
 	<p class="pull-right hidden-xs">
@@ -17,11 +17,11 @@
 	<check if="{{ @issues.count }}">
 		<div class="text-center">
 			<ul class="pagination pagination-sm" style="margin: 15px 0;">
-				<li {~ if(@issues.pos == 0) echo 'class="disabled"' ~}><a href="{{ @BASE }}/search?q={{ @GET.q }}&amp;page={{ @issues.pos ? @issues.pos - 1 : 0 }}">&laquo;</a></li>
+				<li {~ if(@issues.pos == 0) echo 'class="disabled"' ~}><a href="{{ @BASE }}/search?q={{ @GET.q | esc }}&amp;page={{ @issues.pos ? @issues.pos - 1 : 0 }}">&laquo;</a></li>
 				<repeat group="{{ @pages }}" value="{{ @page }}">
-					<li {~ if(@page == @issues.pos) echo 'class="active"' ~}><a href="{{ @BASE }}/search?q={{ @GET.q }}&amp;page={{ @page }}">{{ @page + 1 }}</a></li>
+					<li {~ if(@page == @issues.pos) echo 'class="active"' ~}><a href="{{ @BASE }}/search?q={{ @GET.q | esc }}&amp;page={{ @page }}">{{ @page + 1 }}</a></li>
 				</repeat>
-				<li {~ if(@issues.pos == @issues.count - 1) echo 'class="disabled"' ~}><a href="{{ @BASE }}/search?q={{ @GET.q }}&amp;page={{ (@issues.pos < @issues.count - 1) ? @issues.pos + 1 : @issues.count - 1 }}">&raquo;</a></li>
+				<li {~ if(@issues.pos == @issues.count - 1) echo 'class="disabled"' ~}><a href="{{ @BASE }}/search?q={{ @GET.q | esc }}&amp;page={{ (@issues.pos < @issues.count - 1) ? @issues.pos + 1 : @issues.count - 1 }}">&raquo;</a></li>
 			</ul>
 		</div>
 	</check>