Escape template var output.

[gigi.git] / src / org / cacert / gigi / output / template / SprintfCommand.java

diff --git a/src/org/cacert/gigi/output/template/SprintfCommand.java b/src/org/cacert/gigi/output/template/SprintfCommand.java
index 1a3c29084e5d95bf2384f9301575a3a07b5ae85a..f0a3f35917368cc05e1c929cda9c549050a11eea 100644 (file)
--- a/src/org/cacert/gigi/output/template/SprintfCommand.java
+++ b/src/org/cacert/gigi/output/template/SprintfCommand.java
@@ -6,6 +6,7 @@ import java.util.Map;
 
 import org.cacert.gigi.Language;
 import org.cacert.gigi.output.Outputable;
+import org.cacert.gigi.util.HTMLEncoder;
 
 public final class SprintfCommand implements Outputable {
 
@@ -22,10 +23,15 @@ public final class SprintfCommand implements Outputable {
     public void output(PrintWriter out, Language l, Map<String, Object> vars) {
         String[] parts = l.getTranslation(text).split("%s");
         String[] myvars = store.toArray(new String[store.size()]);
-        out.print(parts[0]);
+        out.print(HTMLEncoder.encodeHTML(parts[0]));
         for (int j = 1; j < parts.length; j++) {
-            Template.outputVar(out, l, vars, myvars[j - 1].substring(1));
-            out.print(parts[j]);
+            String var = myvars[j - 1];
+            if (var.startsWith("$!")) {
+                Template.outputVar(out, l, vars, myvars[j - 1].substring(2), true);
+            } else {
+                Template.outputVar(out, l, vars, myvars[j - 1].substring(1), false);
+            }
+            out.print(HTMLEncoder.encodeHTML(parts[j]));
         }
     }
 }