Ensure that unsafe: is always used when the encodeJS modifier is used.

Author: Cyperghost

com.woltlab.wcf/templates/accountManagement.tpl

@@ -107,8 +107,8 @@
 					new PasswordStrength(elById('newPassword'), {
 						relatedInputs: relatedInputs,
 						staticDictionary: [
-							'{$__wcf->user->username|encodeJS}',
-							'{$__wcf->user->email|encodeJS}',
+							'{unsafe:$__wcf->user->username|encodeJS}',
+							'{unsafe:$__wcf->user->email|encodeJS}',
 						]
 					});
 				})

com.woltlab.wcf/templates/articleAdd.tpl

@@ -110,7 +110,7 @@
 				i18n: {
 					defaultLanguageId: {$defaultLanguageID},
 					isI18n: {if $article->isMultilingual}true{else}false{/if},
-					languages: { {implode from=$languages item=language glue=', '}{$language->languageID}: '{$language|encodeJS}'{/implode} }
+					languages: { {implode from=$languages item=language glue=', '}{$language->languageID}: '{unsafe:$language|encodeJS}'{/implode} }
 				},
 				redirectUrl: '{link controller='ArticleList'}{/link}'
 			});

com.woltlab.wcf/templates/headIncludeJavaScript.tpl

@@ -102,9 +102,9 @@ window.addEventListener('pageshow', function(event) {
 				],
 			{/if}
 			styleChanger: {if $__wcf->getStyleHandler()->showStyleChanger()}true{else}false{/if},
-			{if $__wcf->user->userID && !$__wcf->getMessageQuoteManager()->getRemoveQuoteIDs()|empty}removeQuotes: [{implode from=$__wcf->getMessageQuoteManager()->getRemoveQuoteIDs() item=uuid}'{$uuid|encodeJS}'{/implode}],{/if}
+			{if $__wcf->user->userID && !$__wcf->getMessageQuoteManager()->getRemoveQuoteIDs()|empty}removeQuotes: [{implode from=$__wcf->getMessageQuoteManager()->getRemoveQuoteIDs() item=uuid}'{unsafe:$uuid|encodeJS}'{/implode}],{/if}
 			{if $__wcf->user->userID && !$__wcf->getMessageQuoteManager()->getUsedQuotes()|empty}usedQuotes: new Map([
-				{foreach from=$__wcf->getMessageQuoteManager()->getUsedQuotes() key=editorID item=uuids}['{$editorID|encodeJS}', [{implode from=$uuids item=uuid}'{$uuid|encodeJS}'{/implode}]]{/foreach}
+				{foreach from=$__wcf->getMessageQuoteManager()->getUsedQuotes() key=editorID item=uuids}['{unsafe:$editorID|encodeJS}', [{implode from=$uuids item=uuid}'{unsafe:$uuid|encodeJS}'{/implode}]]{/foreach}
 			]),
 			{/if}
 		});

com.woltlab.wcf/templates/shared_uploadFieldComponent.tpl

@@ -52,7 +52,7 @@
 			imagePreview: {if !$uploadField->supportMultipleFiles() && $uploadField->isImageOnly()}true{else}false{/if},
 			{if $uploadField->getAcceptableFiles()}
 				acceptableFiles: [
-					{implode from=$uploadField->getAcceptableFiles() item=accept}'{$accept|encodeJS}'{/implode}
+					{implode from=$uploadField->getAcceptableFiles() item=accept}'{unsafe:$accept|encodeJS}'{/implode}
 				],
 			{/if}
 		});

com.woltlab.wcf/templates/shared_wysiwyg.tpl

@@ -43,9 +43,9 @@
 
 		{include file='mediaJavaScript'}
 
-		const element = document.getElementById('{$wysiwygSelector|encodeJS}');
+		const element = document.getElementById('{unsafe:$wysiwygSelector|encodeJS}');
 		if (element === null) {
-			throw new Error("Unable to find the source element '{$wysiwygSelector|encodeJS}' for the editor.")
+			throw new Error("Unable to find the source element '{unsafe:$wysiwygSelector|encodeJS}' for the editor.")
 		}
 
 		let enableAttachments = element.dataset.disableAttachments !== "true";

com.woltlab.wcf/templates/shared_wysiwygCmsToolbar.tpl

@@ -21,7 +21,7 @@
 		{jsphrase name='wcf.page.search.name'}
 		{jsphrase name='wcf.page.search.results'}
 
-		const element = document.getElementById('{$wysiwygSelector|encodeJS}');
+		const element = document.getElementById('{unsafe:$wysiwygSelector|encodeJS}');
 		setupArticle(element);
 		setupPage(element);
 	});

com.woltlab.wcf/templates/userException.tpl

@@ -30,7 +30,7 @@
 	{$stacktrace}
 	-->
 	<script>
-		console.debug('{$name|encodeJS} thrown in {$file|encodeJS} ({$line})');
+		console.debug('{unsafe:$name|encodeJS} thrown in {unsafe:$file|encodeJS} ({$line})');
 		console.debug('Stacktrace:\n{unsafe:$stacktrace|encodeJS}');
 	</script>
 {/if}

wcfsetup/install/files/acp/templates/__devtoolsProjectInstructionsFormField.tpl

@@ -250,7 +250,7 @@
 										],
 										pip: '{$instruction[pip]}',
 										runStandalone: {$instruction[runStandalone]|intval},
-										value: '{$instruction[value]|encodeJS}'
+										value: '{unsafe:$instruction[value]|encodeJS}'
 									}
 								{/implode}
 							{/if}

wcfsetup/install/files/acp/templates/articleAdd.tpl

@@ -111,7 +111,7 @@
 				i18n: {
 					defaultLanguageId: {$defaultLanguageID},
 					isI18n: {if $article->isMultilingual}true{else}false{/if},
-					languages: { {implode from=$languages item=language glue=', '}{$language->languageID}: '{$language|encodeJS}'{/implode} }
+					languages: { {implode from=$languages item=language glue=', '}{$language->languageID}: '{unsafe:$language|encodeJS}'{/implode} }
 				},
 				redirectUrl: '{link controller='ArticleList'}{/link}'
 			});

wcfsetup/install/files/acp/templates/userAdd.tpl

@@ -261,11 +261,11 @@
 							new PasswordStrength(elById('password'), {
 								relatedInputs: relatedInputs,
 								staticDictionary: [
-									'{$__wcf->user->username|encodeJS}',
-									'{$__wcf->user->email|encodeJS}',
+									'{unsafe:$__wcf->user->username|encodeJS}',
+									'{unsafe:$__wcf->user->email|encodeJS}',
 									{if $user|isset}
-										'{$user->username|encodeJS}',
-										'{$user->email|encodeJS}',
+										'{unsafe:$user->username|encodeJS}',
+										'{unsafe:$user->email|encodeJS}',
 									{/if}
 								]
 							});