Commits

Zhang Huangbin committed a328791

Typo in templates:
* Remove unused template macros.
* Escape untrusted variables.

Comments (0)

Files changed (17)

templates/default/ldap/admin/list.html

                     {% for admin in admins %}
                         {% set entry = admin[1] %}
 
-                        {% set mail = entry.get('mail')[0] %}
-                        {% set cn = entry.get('cn', [''])[0].decode('utf-8') %}
-                        {% set accountStatus = entry.get('accountStatus', ['disabled'])[0] |lower %}
-                        {% set domainGlobalAdmin = entry.get('domainGlobalAdmin', ['no'])[0] %}
-                        {% set timestamp = entry.get('createTimestamp', ['--------------'])[0] %}
+                        {% set mail = entry.get('mail')[0] |e %}
+                        {% set cn = entry.get('cn', [''])[0].decode('utf-8') |e %}
+                        {% set accountStatus = entry.get('accountStatus', ['disabled'])[0] |lower |e %}
+                        {% set domainGlobalAdmin = entry.get('domainGlobalAdmin', ['no'])[0] |e %}
+                        {% set timestamp = entry.get('createTimestamp', ['--------------'])[0] |e %}
 
                         <tr class="{{ accountStatus }}">
                             <td><input type="checkbox" class="checkbox " name="mail" value="{{mail}}" {% if mail == session.get('username') %}disabled{% endif %}/></td>

templates/default/ldap/admin/profile.html

         <div class="box-wrap clear">
             <form method="post" action="{{ctx.homepath}}/profile/admin/{{profile_type}}/{{mail}}">
                 {% if profile_type == 'general' %}
-                    {% set preferredLanguage = entry.get('preferredLanguage', ['en_US'])[0] |string %}
+                    {% set preferredLanguage = entry.get('preferredLanguage', ['en_US'])[0] |string |e %}
 
                     <div class="columns clear">
                         <div class="col2-3">

templates/default/ldap/domain/list.html

                 <tbody>
                 {% if allDomains is not string and allDomains |length != 0 %}
                     {# List domain attributes/avalues. #}
-                    {% for d in allDomains %}
-                        {% set entries = d[1] %}
-                        {% set domain = entries.get('domainName')[0] |string%}
-                        {% set cn = entries.get('cn', [domain])[0].decode('utf-8') %}
-                        {% set accountStatus = entries.get('accountStatus', ['disabled'])[0] %}
+                    {% for (dn, entries) in allDomains %}
+                        {% set domain = entries.get('domainName')[0] |string |e %}
+                        {% set cn = entries.get('cn', [domain])[0].decode('utf-8') |e %}
+                        {% set accountStatus = entries.get('accountStatus', ['disabled'])[0] |e %}
                         {% set accountSetting = allAccountSettings.get(domain, {}) %}
 
                         {# Get account limits. #}
                         {% set timestamp = entries.get('createTimestamp', ['--------------'])[0] %}
 
                         {# Get domain quota size & unit #}
-                        {% set domainQuota = accountSetting.get('domainQuota', '0:GB') %}
+                        {% set domainQuota = accountSetting.get('domainQuota', '0:GB') |e %}
                         {% set domainQuotaSize, domainQuotaUnit = domainQuota.split(':') %}
 
                         {% set domainCurrentQuotaSize = entries.get('domainCurrentQuotaSize', ['0'])[0] |int %}

templates/default/ldap/domain/profile.html

                     {% endif %}
                 {% endfor %}
             </ul>
-            <h2>{{ _('Profile of domain:') }} {{ cur_domain }}</h2>
+            <h2>{{ _('Profile of domain:') }} {{ cur_domain |e }}</h2>
         </div>
 
         <div class="box-wrap clear">

templates/default/ldap/user/create.html

         <div class="form-field clear">
             <h4 class="size-250 fl-space">{{ _('Mail Address') }} <span class="required">*</span></h4>
             <span class="clean-padding">
-                <input type="text" size="35" name="username" value="{{username}}" class="text fl-space" {% if createNewAccount is sameas false %}disabled{% endif %}/>@
+                <input type="text" size="35" name="username" value="{{ username |e }}" class="text fl-space" {% if createNewAccount is sameas false %}disabled{% endif %}/>@
                 <select name="domainName" onchange="changeUrl(this, baseurl='{{ctx.homepath}}/create/user/');">
                     {% for d in allDomains %}
-                        <option value="{{ d[1].domainName[0] }}" {% if d[1].domainName[0] == cur_domain %}selected{%endif%}>{{ d[1].domainName[0]}}</option>
+                        <option value="{{ d[1].domainName[0] |e }}" {% if d[1].domainName[0] == cur_domain %}selected{%endif%}>{{ d[1].domainName[0] |e }}</option>
                     {% endfor %}
                 </select>
             </span>

templates/default/ldap/user/list.html

 
         <tbody>
         {% if users|length > 0 %}
-            {% for i in users %}
-                {% set entries = i[1] %}
-                {% set mail = entries.get('mail')[0] |string %}
-                {% set cn = entries.get('cn', [''])[0].decode('utf-8') %}
-                {% set employeeid = entries.get('employeeNumber', [''])[0].decode('utf-8') %}
-                {% set jobTitle = entries.get('title', [''])[0].decode('utf-8') %}
+            {% for (dn, entries) in users %}
+                {% set mail = entries.get('mail')[0] |string |e %}
+                {% set cn = entries.get('cn', [''])[0].decode('utf-8') |e %}
+                {% set employeeid = entries.get('employeeNumber', [''])[0].decode('utf-8') |e %}
+                {% set jobTitle = entries.get('title', [''])[0].decode('utf-8') |e %}
 
                 {### If accountStatus is not present, mark as 'disabled'. #}
-                {% set accountStatus = entries.get('accountStatus', ['disabled'])[0] %}
+                {% set accountStatus = entries.get('accountStatus', ['disabled'])[0] |e %}
 
-                {% set mailQuota = entries.get('mailQuota', ['0'])[0] %}
-                {% set shadowAddresses = entries.get('shadowAddress', []) %}
-                {% set memberOfGroups = entries.get('memberOfGroup', []) %}
-                {% set timestamp = entries.get(time_var, ['--------------'])[0] %}
+                {% set mailQuota = entries.get('mailQuota', ['0'])[0] |e %}
+                {% set timestamp = entries.get(time_var, ['--------------'])[0] |e %}
 
                 <tr class="{{ accountStatus |lower }}">
                     <td class="checkbox"><input type="checkbox" name="mail" value="{{mail}}" /></td>

templates/default/ldap/user/profile.html

 {% set user = user_profile[0] %}
 {% set entries = user[1] %}
 
-{% set mail = entries.get('mail')[0] %}
-{% set cn = entries.get('cn', [ mail.split('@')[0] ])[0].decode('utf-8') %}
+{% set mail = entries.get('mail')[0] |e %}
+{% set cn = entries.get('cn', [ mail.split('@')[0] ])[0].decode('utf-8') |e %}
 {% set username, cur_domain = mail.split('@', 1) %}
-{% set employeeNumber = entries.get('employeeNumber', [''])[0].decode('utf-8') %}
-{% set accountStatus = entries.get('accountStatus', ['disabled'])[0] %}
+{% set employeeNumber = entries.get('employeeNumber', [''])[0].decode('utf-8') |e %}
+{% set accountStatus = entries.get('accountStatus', ['disabled'])[0] |e %}
 
 {# Get enabledService #}
 {% if profile_type in ['general',] %}
 {% endif %}
 
 {% if profile_type == 'general' %}
-    {% set jobtitle = entries.get('title', [''])[0].decode('utf-8') %}
-    {% set mobile = entries.get('mobile', [''])[0] %}
+    {% set jobtitle = entries.get('title', [''])[0].decode('utf-8') |e %}
+    {% set mobile = entries.get('mobile', [''])[0] |e %}
     {% set telephoneNumber = entries.get('telephoneNumber', []) %}
     {% set mailQuota = '%d' % (entries.get('mailQuota', [0])[0] |int /1024/1024) %}
 {% endif %}

templates/default/macros/general.html

     <div class="form-field clear">
         <h4 class="size-250 fl-space">&nbsp;</h4>
         <span>
-            <input type="submit" value="{% if label is not sameas none %}{{ label }}{% else %}{{ _('Save changes') }}{% endif %}" class="button {{color}}" />
+            <input type="submit" value="{% if label is not sameas none %}{{ label |e }}{% else %}{{ _('Save changes') }}{% endif %}" class="button {{ color |e }}" />
         </span>
     </div>
 {%- endmacro %}
     {% endif %}
 
     {% if percent > 0 or show_zero is sameas true %}
-        <div class="progress-container" title="{{tooltip}}" style="width: {{width}}; height: {{height}};">
+        <div class="progress-container" title="{{ tooltip |e }}" style="width: {{ width |e }}; height: {{height}};">
             <div class="progress-bar" style="height: {{height}}; width: {{percent}}%; background-color: {{bgcolor}};"></div>
         </div>
     {% endif %}
     {% endif %}
     <div class="form-field clear">
         <h4 class="size-250 fl-space">{{ _('User ID') }}</h4>
-        <span class="clean-padding bt-space20"><input type="text" name="employeeNumber" value="{% if value != 'None' %}{{value}}{% endif %}" size="35" class="text" /></span>
+        <span class="clean-padding bt-space20"><input type="text" name="employeeNumber" value="{% if value != 'None' %}{{ value |e }}{% endif %}" size="35" class="text" /></span>
     </div>
 {%- endmacro %}
 
 {% macro display_input_jobtitle(value='') -%}
     <div class="form-field clear">
         <h4 class="size-250 fl-space">{{ _('Job Title/Responsibility') }}</h4>
-        <span class="clean-padding bt-space20"><input type="text" name="title" value="{% if value != 'None' %}{{value}}{% endif %}" size="35" class="text" /></span>
+        <span class="clean-padding bt-space20"><input type="text" name="title" value="{% if value != 'None' %}{{ value |e }}{% endif %}" size="35" class="text" /></span>
     </div>
 {%- endmacro %}
 
 {% macro display_input_mobile(value) -%}
     <div class="form-field clear">
         <h4 class="size-250 fl-space">{{ _('Mobile') }}</h4>
-        <span class="clean-padding bt-space20"><input type="text" name="mobile" value="{{value}}" size="35" class="text" /></span>
+        <span class="clean-padding bt-space20"><input type="text" name="mobile" value="{{ value |e }}" size="35" class="text" /></span>
     </div>
 {%- endmacro %}
 
                 <h4 class="size-250 fl-space">&nbsp;</h4>
             {% endif %}
             <span class="clean-padding bt-space20">
-                <input type="text" name="telephoneNumber" value="{{phone}}" size="35" class="text" />
+                <input type="text" name="telephoneNumber" value="{{ phone |e }}" size="35" class="text" />
             </span>
         </div>
         {% endfor %}
     <h4 class="size-250 fl-space">{{ _('Preferred language') }}</h4>
     <select name="preferredLanguage">
         {% for lang in languagemaps %}
-            <option value="{{lang}}" {% if value == lang %}selected{%endif%}>{{languagemaps[lang]}}</option>
+            <option value="{{ lang |e }}" {% if value == lang %}selected{%endif%}>{{ languagemaps[lang] |e }}</option>
         {% endfor %}
     </select>
 </div>
 
 {# Used to display domainMaxXXXNumber #}
 {% macro display_number_of_account_limited(value, hide_unlimited=true) -%}
-    {% if value == '0' or value == 0 or value == 'None' %}{% if hide_unlimited is not sameas true %}<span class="grey">/<em>{{ _('Unlimited') }}</em></span>{% endif %}{%else%}<span class="grey">/ <em>{{value}}</em></span>{%endif%}
+    {% if value == '0' or value == 0 or value == 'None' %}{% if hide_unlimited is not sameas true %}<span class="grey">/<em>{{ _('Unlimited') }}</em></span>{% endif %}{%else%}<span class="grey">/ <em>{{ value |e }}</em></span>{%endif%}
 {%- endmacro %}
 
 
         {% if label == '' %}
             <h4 class="size-250 fl-space">{{ _('Mailbox Quota') }}</h4>
         {% else %}
-            <h4 class="size-250 fl-space">{{ label }}</h4>
+            <h4 class="size-250 fl-space">{{ label |e }}</h4>
         {% endif %}
 
         <span class="clean-padding fl-space2">
-            <input type="text" name="mailQuota" value="{% if show_value_in_input == 'yes' %}{{ value }}{% endif %}" size="10" class="text fl-space" /> <label class="fl-space">MB {{ comment }}</label>
+            <input type="text" name="mailQuota" value="{% if show_value_in_input == 'yes' %}{{ value |e }}{% endif %}" size="10" class="text fl-space" /> <label class="fl-space">MB {{ comment |e }}</label>
 
             {% if spare_quota_bytes |int >= 0 %}
                 {% if show_spare_quota == 'yes' and spare_quota_bytes > 0 %}
-                    <label class="fl-space">{{ _('Available quota:') }} {{spare_quota_bytes | filesizeformat}}</label>
+                    <label class="fl-space">{{ _('Available quota:') }} {{ spare_quota_bytes |filesizeformat |e }}</label>
                 {% endif %}
             {% elif spare_quota_bytes |int == -1 %}
                 {% set comment = _('Set to 0 for unlimited.') %}
             {% endif %}
         </span>
 
-        <span><input type="hidden" name="oldMailQuota" value="{{value}}" /></span>
+        <span><input type="hidden" name="oldMailQuota" value="{{ value |e }}" /></span>
     </div>
 {%- endmacro %}
 
         <div class="form-field clear">
             <h4 class="size-250 fl-space">{{ _('Relay/Transport Setting') }}</h4>
             <div class="clear">
-                <input type="text" name="mtaTransport" value="{% if transport not in ['', none] %}{{ transport }}{% endif %}" size="35" class="text" />
+                <input type="text" name="mtaTransport" value="{% if transport not in ['', none] %}{{ transport |e }}{% endif %}" size="35" class="text" />
             </div>
         </div>
     </div>{#-- .col2-3 --#}
 </div>{#-- .columns --#}
 {%- endmacro %}
 
-{% macro display_recipient_bcc(address='') -%}
-    {% if address is sameas none %}
-        {% set address = '' %}
-    {% endif %}
-    <div class="form-field clear">
-        <h4 class="size-250 fl-space">{{ _('BCC incoming emails to single address') }}</h4>
-        <span class="clean-padding">
-            <input type="text" name="recipientBccAddress" value="{{address}}" size="35" class="text" />
-        </span>
-    </div>
-{%- endmacro %}
-
-{% macro display_sender_bcc(address='') -%}
-    {% if address is sameas none %}
-        {% set address = '' %}
-    {% endif %}
-    <div class="form-field clear">
-        <h4 class="size-250 fl-space">{{ _('BCC outgoing emails to single address') }}</h4>
-        <span class="clean-padding">
-            <input type="text" name="senderBccAddress" value="{{address}}" size="35" class="text" />
-        </span>
-    </div>
-{%- endmacro %}
-
 {% macro display_input_mail(mail='', name='mail', required=false) -%}
 <div class="form-field clear">
     <h4 class="size-250 fl-space">{{ _('Mail Address') }} {% if required is sameas true %}<span class="required">*</span>{% endif %}</h4>
-    <span class="clean-padding bt-space20"><input type="text" name="{{ name }}" value="{{ mail }}" size="35" class="text" /></span>
+    <span class="clean-padding bt-space20"><input type="text" name="{{ name |e }}" value="{{ mail |e }}" size="35" class="text" /></span>
 </div>
 {%- endmacro %}
 
 {% macro display_input_domain(domain='', name='domainName', required=false) -%}
 <div class="form-field clear">
     <h4 class="size-250 fl-space">{{ _('Domain Name') }} {% if required is sameas true %}<span class="required">*</span>{% endif %}</h4>
-    <span class="clean-padding bt-space20"><input type="text" name="{{ name }}" value="{{ domain }}" size="35" class="text" /></span>
+    <span class="clean-padding bt-space20"><input type="text" name="{{ name |e }}" value="{{ domain |e }}" size="35" class="text" /></span>
 </div>
 {%- endmacro %}
 
     {% else %}
         <h4 class="{{ size }} fl-space">{{ _('Display Name') }}</h4>
     {% endif %}
-    <span class="clean-padding bt-space20"><input type="text" name="cn" value="{{cn}}" size="35" class="text" {% if tooltip != '' %}title="{{ tooltip }}"{% endif %} /></span>
+    <span class="clean-padding bt-space20"><input type="text" name="{{ name |e }}" value="{{ cn |e }}" size="35" class="text" {% if tooltip != '' %}title="{{ tooltip |e }}"{% endif %} /></span>
 </div>
 {%- endmacro %}
 
 
 
 {% macro highlight_username_in_mail(mail) -%}
-    <span><strong>{{ mail.split('@')[0] }}</strong></span><span class="grey"><em>@{{ mail.split('@')[-1] }}</em></span>
+    <span><strong>{{ mail.split('@')[0] |e }}</strong></span><span class="grey"><em>@{{ mail.split('@')[-1] |e }}</em></span>
 {% endmacro %}
 
 {% macro show_pages(baseurl, total, cur_page, near_pages=2, sep='/page/') -%}
         {% set total_pages = total // session.pageSizeLimit %}
     {% endif %}
 
+    {% set baseurl = baseurl |e %}
+    {% set sep = sep |e %}
+
     <div class="pager fr">
         {% if total_pages > 0 %}
         <span class="nav">
         {{ _('Disable account') }}
     {% elif event == 'active' %}
         {{ _('Active account') }}
+    {% else %}
+        {{ event |e }}
     {% endif %}
 {%- endmacro %}
 
-{# iRedAPD: per-user wblist #}
-{% macro display_per_user_wblist(values=[], htmlInputName, label) -%}
-    <div class="form-field clear">
-        <h4 class="size-250 fl-space">{{ label }}</h4>
-        <small>{{ _('One record one line.') }}</small>
-
-        {% if values |length == 0 %}
-            <textarea name="{{ htmlInputName }}" rows="6" class="textarea"></textarea>
-        {% else %}
-            <textarea name="{{ htmlInputName }}" rows="6" class="textarea">{% for v in values %}{{ v }}
-{% endfor %}</textarea>
-        {% endif %}
-    </div>
-{%- endmacro %}

templates/default/macros/ldap.html

                     <div class="clear">
                     <div class="checklist-item">
                         <span class="fl-space">
-                            <input type="checkbox" name="domainName" value="{{ domainName }}" {% if domainName in managedDomains %}checked{%endif%} />
+                            <input type="checkbox" name="domainName" value="{{ domainName |e }}" {% if domainName in managedDomains %}checked{%endif%} />
                         </span>
                         <label>
                             {% if domain[1].has_key('cn') %}
-                                {{ _("%s (%s)") |format( domainName, domain[1].get('cn')[0].decode('utf-8') ) }}
+                                {{ _("%s (%s)") |format(domainName |e, domain[1].get('cn')[0].decode('utf-8') |e) }}
                             {% else %}
-                                {{ domainName }}
+                                {{ domainName |e }}
                             {% endif %}
                         </label>
                     </div>
         <h4 class="size-250 fl-space">{{ _('Domain Admins') }}</h4>
         <div class="checklist clear">
             <fieldset>
-            {% for admin in allAdmins %}
-                {% set entry = admin[1] %}
-                {% set adminMail = entry.get('mail')[0] %}
+            {% for (dn, entry) in allAdmins %}
+                {% set mail = entry.get('mail')[0] |e %}
                 <div class="clear">
                 <div class="checklist-item">
-                    <span class="fl-space"><input type="checkbox" name="domainAdmin" value="{{ adminMail }}" {% if adminMail in domainAdmins %}checked{%endif%} class="checkbox" rel="checkboxhorizont" /></span>
+                    <span class="fl-space"><input type="checkbox" name="domainAdmin" value="{{ mail }}" {% if mail in domainAdmins %}checked{%endif%} class="checkbox" rel="checkboxhorizont" /></span>
                     <label>
-                        {{ entry.get('cn')[0].decode('utf-8') }} (<a href="{{ctx.homepath}}/profile/admin/general/{{ adminMail }}" target="_blank">{{ adminMail }}</a>{% if 'yes' in entry.get('domainGlobalAdmin', []) %}, {{ _('Global Admin') }}{% endif %})
+                        {{ entry.get('cn')[0].decode('utf-8') }} (<a href="{{ctx.homepath}}/profile/admin/general/{{ mail }}" target="_blank">{{ mail }}</a>{% if 'yes' in entry.get('domainGlobalAdmin', []) %}, {{ _('Global Admin') }}{% endif %})
                     </label>
                 </div>
                 </div>
     </div>
 {%- endmacro %}
 
-{#
-Display enabledService
-    - accountType: domain, admin, user, maillist, alias.
-    - enabledService: list of all enabled services.
-#}
-{% macro display_enabled_services(accountType, enabledService) -%}
-    {# Set list of available services for different account types.
-        Format:
-            [
-                ('type_of_input', 'value_of_enabledService', 'label'),
-                ...
-            ]
-
-        @type_of_input: value of attribute "type" in HTML <input> tag.
-                        Available: hidden, checkbox.
-                        Note: This is an OPTIONAL.
-    #}
-
-    {% if accountType == 'domain' %}
-        {% set available_services = [
-                ('checkbox', 'domainalias', _('Domain alias')),
-                ('checkbox', 'recipientbcc', _('BCC incoming mails to other addresses')),
-                ('checkbox', 'senderbcc', _('BCC outgoing mails to other addresses')),
-                ] %}
-    {% elif accountType == 'user' %}
-        {% set available_services = [
-                ('hidden', 'internal', ''),
-                ('checkbox', 'smtp', _('Sending mails via SMTP')),
-                ('checkbox', 'smtpsecured', _('Sending mails via SMTP over TLS/SSL')),
-                ('checkbox', 'pop3', _('Fetching mails via POP3')),
-                ('checkbox', 'pop3secured', _('Fetching mails via POP3 over TLS/SSL')),
-                ('checkbox', 'imap', _('Fetching mails via IMAP')),
-                ('checkbox', 'imapsecured', _('Fetching mails via IMAP over TLS/SSL')),
-                ('checkbox', 'deliver', _('Receiving mails for this account on mail server')),
-                ('checkbox', 'forward', _('Forwarding mails to other addresses')),
-                ('checkbox', 'shadowaddress', _('Alias account')),
-                ('checkbox', 'managesieve', _('Customize mail filter rule')),
-                ('checkbox', 'managesievesecured', _('Customize mail filter rule over TLS/SSL')),
-                ('checkbox', 'recipientbcc', _('BCC incoming mails to other address')),
-                ('checkbox', 'senderbcc', _('BCC outgoing mails to other address')),
-                ('checkbox', 'displayedInGlobalAddressBook', _('Display mail address in global LDAP address book')),
-                ] %}
-    {% elif accountType == 'alias' %}
-        {% set available_services = [
-                ('checkbox', 'displayedInGlobalAddressBook', _('Display mail address in global LDAP address book')),
-                ] %}
-    {% endif %}
-
-    <h4 class="size-250 fl-space">{{ _('Enabled Services') }}</h4>
-    <div class="form-checkbox-item clear">
-        <input type="checkbox" name="enabledService" value="mail" {% if 'mail' in enabledService %}checked{%endif%} class="checkbox fl-space" rel="checkboxhorizont" />
-        <label>{{ _('Mail service') }} <span style="color: red;"><em>{{ _('Check this box in order to enable other mail related services.') }}</em></span></label>
-    </div>
-
-        {% for srv in available_services %}
-            {% if srv[0] != 'hidden' %}
-                <h4 class="size-250 fl-space">&nbsp;</h4>
-            {% endif %}
-            <div class="form-checkbox-item clear">
-                <input type="{{ srv[0] }}" name="enabledService" value="{{ srv[1] }}" {% if srv[1] in enabledService %}checked{%endif%} class="{{ srv[0] }} fl-space" rel="checkboxhorizont" />
-                <label>{{ srv[2] }}</label>
-            </div>
-        {% endfor %}
-{%- endmacro %}
-

templates/default/macros/mysql.html

             <div class="checklist clear">
                 <fieldset>
                     {% for r in allDomains %}
-                    <div class="clear">
-                    <div class="checklist-item">
-                        <span class="fl-space">
-                            <input type="checkbox" name="domainName" value="{{ r.domain }}" {% if r.domain in managedDomains %}checked{%endif%} />
-                        </span>
-                        <label>
-                            {% if r.description |length > 0 %}
-                                {{ r.domain }} ({{ r.description |cutString |e }})
-                            {% else %}
-                                {{ r.domain }}
-                            {% endif %}
-                        </label>
-                    </div>
-                    </div>
+                        {% set domain = r.domain |e %}
+                        <div class="clear">
+                            <div class="checklist-item">
+                                <span class="fl-space">
+                                    <input type="checkbox" name="domainName" value="{{ domain }}" {% if domain in managedDomains %}checked{%endif%} />
+                                </span>
+                                <label>
+                                    {% if r.description |length > 0 %}
+                                        {{ domain }} ({{ r.description |cutString |e }})
+                                    {% else %}
+                                        {{ domain }}
+                                    {% endif %}
+                                </label>
+                            </div>
+                        </div>
                     {% endfor %}
                 </fieldset>
             </div>
         <div class="checklist clear">
             <fieldset>
             {% for admin in allAdmins %}
+                {% set username = admin.username |e %}
                 <div class="clear">
                     <div class="checklist-item">
-                        <span class="fl-space"><input type="checkbox" name="domainAdmin" value="{{ admin.username }}" {% if admin.username in domainAdmins %}checked{%endif%} class="checkbox" rel="checkboxhorizont" /></span>
+                        <span class="fl-space"><input type="checkbox" name="domainAdmin" value="{{ username }}" {% if username in domainAdmins %}checked{%endif%} class="checkbox" rel="checkboxhorizont" /></span>
                         <label>
                             {% if admin.name not in ['', none,] %}
-                                {{ admin.name }}
+                                {{ admin.name |e }}
                             {% else %}
-                                {{ admin.username.split('@',1)[0] }}
+                                {{ username.split('@',1)[0] }}
                             {% endif %}
-                            (<a href="{{ctx.homepath}}/profile/admin/general/{{ admin.username }}" target="_blank">{{ admin.username }}</a>)
+                            (<a href="{{ctx.homepath}}/profile/admin/general/{{ username }}" target="_blank">{{ username }}</a>)
                         </label>
                     </div>
                 </div>
     </div>
 {%- endmacro %}
 
-{% macro display_enabled_services(accountType, profile) -%}
-    {% if accountType == 'user' %}
-        {% set available_services = [
-                ('checkbox', 'enabledeliver', _('Receiving mails for this account on mail server')),
-                ('checkbox', 'enablesmtp', _('Sending mails via SMTP')),
-                ('checkbox', 'enablesmtpsecured', _('Sending mails via SMTP over TLS/SSL')),
-                ('checkbox', 'enablepop3', _('Fetching mails via POP3')),
-                ('checkbox', 'enablepop3secured', _('Fetching mails via POP3 over TLS/SSL')),
-                ('checkbox', 'enableimap', _('Fetching mails via IMAP')),
-                ('checkbox', 'enableimapsecured', _('Fetching mails via IMAP over TLS/SSL')),
-                ('checkbox', 'enablemanagesieve', _('Customize mail filter rule')),
-                ('checkbox', 'enablemanagesievesecured', _('Customize mail filter rule over TLS/SSL')),
-                ('hidden', 'enableinternal', ''),
-                ] %}
-    {% endif %}
-
-<div class="form-field clear">
-    <h4 class="size-250 fl-space">{{ _('Enabled Services') }}</h4>
-
-    {% for srv in available_services %}
-        {% if not loop.first and srv[0] != 'hidden' %}
-            <h4 class="size-250 fl-space">&nbsp;</h4>
-        {% endif %}
-
-        <div class="form-checkbox-item clear">
-            <input type="{{ srv[0] }}" name="enabledService" value="{{ srv[1] }}" class="{{ srv[0] }}" rel="checkboxhorizont"
-                {% if srv[1] in profile.keys() %}
-                    {% if profile.__getattr__(srv[1]) == 1 %}
-                        checked
-                    {% endif %}
-                {% endif %}
-            />
-            <label>{{ srv[2] }}</label>
-        </div>
-    {% endfor %}
-</div>
-{%- endmacro %}

templates/default/mysql/admin/list.html

 
         <tbody>
             {% for r in admins %}
+                {% set username = r.username |e %}
+                {% set name = r.name |e %}
+
                 <tr>
-                    <td class="checkbox"><input type="checkbox" name="mail" value="{{ r.username |e }}" {% if r.username == session.get('username') %}disabled{% endif %}/></td>
+                    <td class="checkbox"><input type="checkbox" name="mail" value="{{ username }}" {% if username == session.get('username') %}disabled{% endif %}/></td>
                     <td>
-                        <a href="{{ctx.homepath}}/profile/admin/general/{{ r.username }}"><img src="{{ctx.homepath}}/static/{{skin}}/images/action_edit.png" title="{{ _('Edit account profile') }}" class="fr-space"/></a>
+                        <a href="{{ctx.homepath}}/profile/admin/general/{{ username }}"><img src="{{ctx.homepath}}/static/{{skin}}/images/action_edit.png" title="{{ _('Edit account profile') }}" class="fr-space"/></a>
                         {{ set_account_status_img(r.active) }}
 
                         {# -- Show name -- #}
-                        {% if r.name == '' %}
-                            {{ r.username.split('@', 1)[0] }}
+                        {% if name == '' %}
+                            {{ username.split('@', 1)[0] }}
                         {% else %}
-                            {{ r.name |cutString |e }}
+                            {{ name |cutString }}
                         {% endif %}
                     </td>
-                    <td>{{ r.username |e }}</td>
-                    {% if r.username in allGlobalAdmins %}
+                    <td>{{ username }}</td>
+                    {% if username in allGlobalAdmins %}
                         <td>{{ set_admin_type_img('yes') }}</td>
                     {% else %}
                         <td>{{ set_admin_type_img('no') }}</td>

templates/default/mysql/admin/profile.html

             <div id="profile_general">
                 <form method="post" action="{{ctx.homepath}}/profile/admin/general/{{mail}}">
                     {% if profile.language != '' %}
-                        {% set preferredLanguage = profile.language |string %}
+                        {% set preferredLanguage = profile.language |string |e %}
                     {% else %}
                         {% set preferredLanguage = 'en_US' %}
                     {% endif %}

templates/default/mysql/domain/list.html

                 <tbody>
                     {% if allDomains |length > 0 %}
                         {% for r in allDomains %}
+                            {% set domain = r.domain |e %}
                         <tr>
                             {% if session.get('domainGlobalAdmin') is sameas true %}
-                                <td class="checkbox"><input type="checkbox" class="checkbox " name="domainName" value="{{ r.domain }}" /></td>
+                                <td class="checkbox"><input type="checkbox" class="checkbox " name="domainName" value="{{ domain }}" /></td>
                             {% endif %}
 
                             <td class="vcenter">
-                                <a href="{{ctx.homepath}}/profile/domain/general/{{ r.domain }}"><img src="{{ctx.homepath}}/static/{{skin}}/images/action_edit.png" title="{{ _('Edit account profile') }}" class="fr-space"/></a>
+                                <a href="{{ctx.homepath}}/profile/domain/general/{{ domain }}"><img src="{{ctx.homepath}}/static/{{skin}}/images/action_edit.png" title="{{ _('Edit account profile') }}" class="fr-space"/></a>
                                 {{ set_account_status_img(r.active) }}
-                                {{ r.domain }}
+                                {{ domain }}
                             </td>
                             {% if r.description is sameas none %}
                                 <td class="vcenter">&nbsp;</td>
                                 {% if r.mailboxes > 0 %}
                                     {% set percentOfNumberOfUsers = r.mailbox_count |getPercentage(r.mailboxes) %}
 
-                                    <a href="{{ctx.homepath}}/users/{{r.domain}}" title="{{ _('List all mail users.') }}" style="text-decoration: none;">{{ percentOfNumberOfUsers }}% <span class="grey">({{ r.mailbox_count }} {{ display_number_of_account_limited(r.mailboxes) }})</span></a>
+                                    <a href="{{ctx.homepath}}/users/{{domain}}" title="{{ _('List all mail users.') }}" style="text-decoration: none;">{{ percentOfNumberOfUsers }}% <span class="grey">({{ r.mailbox_count }} {{ display_number_of_account_limited(r.mailboxes) }})</span></a>
                                     {{ display_progress_bar(percentOfNumberOfUsers, style='thin') }}
                                 {% else %}
-                                    <a href="{{ctx.homepath}}/users/{{r.domain}}" title="{{ _('List all mail users.') }}" style="text-decoration: none;">{{ r.mailbox_count }}</a>
+                                    <a href="{{ctx.homepath}}/users/{{domain}}" title="{{ _('List all mail users.') }}" style="text-decoration: none;">{{ r.mailbox_count }}</a>
                                 {% endif %}
                             </td>
 

templates/default/mysql/domain/profile.html

         display_input_cn,
         display_account_status,
         display_domain_transport,
-        display_enabled_services,
-        display_recipient_bcc,
-        display_sender_bcc,
         with context
         %}
 

templates/default/mysql/user/create.html

                             <input type="text" size="35" name="username" value="" class="text fl-space" {% if createNewAccount is sameas false %}disabled{% endif %}/>@
                             <select name="domainName" onchange="changeUrl(this, baseurl='{{ctx.homepath}}/create/user/');">
                                 {% for d in allDomains %}
-                                    <option value="{{ d.domain |string }}" {% if d.domain == cur_domain %}selected{%endif%}>{{ d.domain }}</option>
+                                    <option value="{{ d.domain |string |e }}" {% if d.domain == cur_domain %}selected{%endif%}>{{ d.domain |e }}</option>
                                 {% endfor %}
                             </select>
                         </span>

templates/default/mysql/user/list.html

         <tbody>
         {% if users|length > 0 %}
             {% for r in users %}
+                {% set username = r.username |e %}
                 <tr>
-                    <td class="checkbox"><input type="checkbox" name="username" value="{{r.username}}" /></td>
+                    <td class="checkbox"><input type="checkbox" name="username" value="{{username}}" /></td>
                     <td class="vcenter">
-                        <a href="{{ctx.homepath}}/profile/user/general/{{r.username}}"><img src="{{ctx.homepath}}/static/{{skin}}/images/action_edit.png" title="{{ _('Edit account profile') }}" class="fr-space"/></a>
+                        <a href="{{ctx.homepath}}/profile/user/general/{{username}}"><img src="{{ctx.homepath}}/static/{{skin}}/images/action_edit.png" title="{{ _('Edit account profile') }}" class="fr-space"/></a>
                         {{ set_account_status_img(r.active) }}
                         {% if r.name %}
                             {{ r.name |cutString |e }}
                         {% else %}
-                            {{ r.username.split('@', 1)[0] }}
+                            {{ username.split('@', 1)[0] }}
                         {% endif %}
                     </td>
-                    <td class="vcenter">{{ highlight_username_in_mail(r.username) }}</td>
-                    <td class="vcenter">{% if r.employeeid %}{{ r.employeeid }}{% endif %}</td>
+                    <td class="vcenter">{{ highlight_username_in_mail(username) }}</td>
+                    <td class="vcenter">{% if r.employeeid %}{{ r.employeeid |e }}{% endif %}</td>
                     {#
                     <td class="vcenter">{{ jobTitle }}</td>
                     #}
                         {% set percent = r.bytes |getPercentage(r.quota * 1024 * 1024) %}
                         <td class="vcenter">
                             <div>
-                                <span title="{{ _('Edit quota setting') }}"><a href="{{ctx.homepath}}/profile/user/general/{{r.username}}">{{ percent }}%</a></span>
+                                <span title="{{ _('Edit quota setting') }}"><a href="{{ctx.homepath}}/profile/user/general/{{username}}">{{ percent }}%</a></span>
                                 <span class="grey">(<span title="{{ _('Stored') }}">{{ r.messages }} {{_('Emails') }}/{{ r.bytes |filesizeformat }}</span>)/<span title="{{ _('Allocated') }}">{{ r.quota |filesizeformat(baseMB=True) }}</span></span>
                             </div>
                             {{ display_progress_bar(percent, show_zero=true, width='60%', style='thin') }}

templates/default/panel/log.html

     <select name="domain">
         <option value="all">{{ _('Domains') }}</option>
         {% for d in allDomains %}
-            <option value="{{d}}" {% if d == domain %}selected{% endif %}>{{ d }}</option>
+            <option value="{{ d |e }}" {% if d == domain %}selected{% endif %}>{{ d |e }}</option>
         {% endfor %}
     </select>
 
         <select name="admin">
             <option value="all">{{ _('Admins') }}</option>
             {% for a in allAdmins %}
-                <option value="{{a}}" {% if a == admin %}selected{% endif %}>{{ a }}</option>
+                <option value="{{ a |e }}" {% if a == admin %}selected{% endif %}>{{ a |e }}</option>
             {% endfor %}
         </select>
     {% endif %}
 
     <select name="event">
-        {% for e in allEvents %}
-            <option value="{{e}}" {% if e == event %}selected{% endif %}>{{ show_event_name(event=e) }}</option>
+        {% for evt in allEvents %}
+            <option value="{{ evt |e }}" {% if evt == event %}selected{% endif %}>{{ show_event_name(event=evt) }}</option>
         {% endfor %}
     </select>
 
                     <td class="checkbox"><input type="checkbox" name="id" value="{{log.id}}" class="checkbox" /></td>
                 {% endif %}
                 <td>{{ log.timestamp |setDatetimeFormat }}</td>
-                <td><a href="{{ctx.homepath}}/profile/admin/general/{{log.admin}}">{{ log.admin }}</a></td>
-                <td>{{ log.ip }}</td>
-                <td class="{{log.event}}_{{log.loglevel}}">{{ log.msg }}</td>
+                <td><a href="{{ctx.homepath}}/profile/admin/general/{{ log.admin |e }}">{{ log.admin |e }}</a></td>
+                <td>{{ log.ip |e }}</td>
+                <td class="{{ log.event |e }}_{{ log.loglevel |e }}">{{ log.msg |e }}</td>
             </tr>
         {% endfor %}
         </tbody>