FCLT#72831 XSS preventie; her-commit van r 56078 en 56084 maar dan in 2022.3

svn path=/Website/trunk/; revision=56090
2022-06-02 09:48:05 +00:00
parent 24f784c1ff
commit ee8af257f9
20 changed files with 67 additions and 66 deletions
--- a/APPL/BEZ/bez_edit_afspraak.asp
+++ b/APPL/BEZ/bez_edit_afspraak.asp
@@ -189,7 +189,7 @@ else
    <%  FCLTHeader.Generate() %>
    <script type="text/javascript">
-      var titel = "<%=titel%>";
+      var titel = "<%=safe.jsstring(titel)%>";
      $(function()
      {
--- a/APPL/BEZ/bez_edit_bezoekers.inc
+++ b/APPL/BEZ/bez_edit_bezoekers.inc
@@ -200,7 +200,7 @@ function bez_edit_bezoekers(afspraak_key, afspraak_begin, afspraak_eind, loc_key
 <%          if (!params.contactonly  && (S("bez_sel_contactpersoon") > 0 || S("bez_sel_internpersoon") == 1))
            { %>
              <td align="center">
-                <span onclick="selectPerson(<%=next_vis%>)" title="<%=titel%>"><%=I("fa-user", { fastyle: "fas" })%></span>
+                <span onclick="selectPerson(<%=next_vis%>)" title="<%=safe.htmlattr(titel)%>"><%=I("fa-user", { fastyle: "fas" })%></span>
              </td>
 <%          } else if (params.contactonly && S("bez_sel_contactpersoon") > 0) { %>
              <td>
@@ -418,7 +418,7 @@ function bez_edit_bezoekers(afspraak_key, afspraak_begin, afspraak_eind, loc_key
 <%      if (!params.contactonly && (S("bez_sel_contactpersoon") > 0 || S("bez_sel_internpersoon") == 1))
        { %>
          cell = ih.insertCell(-1);
-          cell.innerHTML = "<span OnClick='selectPerson(" + next_vis + ")' title='<%=titel%>'>" + I("fa-user", { fastyle: "fas" }) + "</span>";
+          cell.innerHTML = "<span OnClick='selectPerson(" + next_vis + ")' title='<%=safe.htmlattr(titel)%>'>" + I("fa-user", { fastyle: "fas" }) + "</span>";
          cell.align = 'center';
 <%      } else if (params.contactonly && S("bez_sel_contactpersoon") > 0) { %>
          cell = ih.insertCell(-1);
--- a/APPL/CAD/ShowRoom.asp
+++ b/APPL/CAD/ShowRoom.asp
@@ -150,7 +150,7 @@ FCLTHeader.Requires({ js: ["jquery.js"] });
        MMap.Refresh(true); // Try to zoom extents
    }
    </script>
-    <title><%=titel%></title>
+    <title><%=safe.html(titel)%></title>
 </head>
 <body class='modal' id='docBody' onLoad='javascript:init();'>
--- a/APPL/CAD/ShowTerrain.asp
+++ b/APPL/CAD/ShowTerrain.asp
@@ -55,7 +55,7 @@ var titel = L("lcl_graphics") + " " + oRs("alg_locatie_code").Value + "-"
        MMap.Refresh(true); // Try to zoom extents
      }
    </script>
-    <title><%=titel%></title>
+    <title><%=safe.html(titel)%></title>
  </head>
  <body id='docBody' onLoad='javascript:init();'>
@@ -68,4 +68,4 @@ var titel = L("lcl_graphics") + " " + oRs("alg_locatie_code").Value + "-"
    </iframe>
  </body>
 </html>
-<% ASPPAGE_END(); %> 
+<% ASPPAGE_END(); %>
--- a/APPL/FAC/fac_edit_xsl.asp
+++ b/APPL/FAC/fac_edit_xsl.asp
@@ -144,7 +144,7 @@ if (xmlnode) // safety check
    var f = fso.GetFile(xslsheet);
    teaser = teaser.format(toDateTimeString(new Date(f.DateLastModified)));
 %>  <tr>
-        <td colspan="2"><%=teaser%></td>
+        <td colspan="2"><%=safe.html(teaser)%></td>
    </tr>
    <tr>
        <td colspan="2">
@@ -169,7 +169,7 @@ if (xmlnode) // safety check
 <form name="xslview" action="fac_preview_xsl.asp" target='RapPreview' id="xslview">
    <tr>
        <td class="label">
-            <input type='hidden' name='xmlnode' value='<%=xmlnode%>'>
+            <input type='hidden' name='xmlnode' value='<%=safe.htmlattr(xmlnode)%>'>
            <label class="label" for="key"><%=L("lcl_xsledit_key")%></label>
        </td>
        <td>
--- a/APPL/FAC/fac_locale_data.asp
+++ b/APPL/FAC/fac_locale_data.asp
@@ -126,7 +126,7 @@ oRs.Close();
  </head>
  <body class="modal" id="localebody">
      <% MODAL_START(); %>
-      <form id="lclform" name="lclform" action="fac_locale_data.asp?submit=1&kolomnaam=<%=kolomnaam%>&kolomkeyval=<%=kolomkeyval%>" method="post">
+      <form id="lclform" name="lclform" action="fac_locale_data.asp?submit=1&kolomnaam=<%=safe.url(kolomnaam)%>&kolomkeyval=<%=kolomkeyval%>" method="post">
 <%
        MODAL_BLOCK_START("mldReject", lbl);
@@ -177,9 +177,9 @@ function langlabel(code)
            else
            { %>
                <tr>
-                  <td class="label"><label for="<%=fldname%>"><nobr><%=langlabel(oRs("fac_locale_lang").Value)%></nobr></label></td>
+                  <td class="label"><label for="<%=safe.htmlattr(fldname)%>"><nobr><%=langlabel(oRs("fac_locale_lang").Value)%></nobr></label></td>
                  <td>
-                    <textarea class="fldtxt" name="<%=fldname%>" rows="3"><%=safe.textarea(oRs("fac_locale_tekst").Value)%></textarea>
+                    <textarea class="fldtxt" name="<%=safe.htmlattr(fldname)%>" rows="3"><%=safe.textarea(oRs("fac_locale_tekst").Value)%></textarea>
                  </td>
                </tr>
            <% }
@@ -201,4 +201,4 @@ IFACE.FORM_END();
      <% MODAL_END(); %>
  </body>
 </html>
-<% ASPPAGE_END(); %> 
+<% ASPPAGE_END(); %>
--- a/APPL/FAC/fac_locale_dialect.asp
+++ b/APPL/FAC/fac_locale_dialect.asp
@@ -130,7 +130,7 @@ var term_omschrijving = oRs("descr").Value;
                     {title: L("lcl_cancel"), icon: "fa-fclt-cancel", action: "FcltMgr.closeDetail(window, { cancel: true } )" }];
    IFRAMER_HEADER(L("lcl_lcl_terminologie") + " " + term_label + " " + term_omschrijving, buttons);
 %>
-      <form id="lclform" name="lclform" action="fac_locale_dialect.asp?submit=1&dialect_key=<%=dialect_key%>&dialect_id=<%=dialect_id%>&lang=<%=lang%>" method="post">
+      <form id="lclform" name="lclform" action="fac_locale_dialect.asp?submit=1&dialect_key=<%=dialect_key%>&dialect_id=<%=safe.url(dialect_id)%>&lang=<%=lang%>" method="post">
 <%
        BLOCK_START("lcldialect", lang, { icon: "fa-language", wide: true, tablestyle: true });
@@ -170,4 +170,4 @@ IFACE.FORM_END();
    <% SUBFRAME_END(); %>
  </body>
 </html>
-<% ASPPAGE_END(); %> 
+<% ASPPAGE_END(); %>
--- a/APPL/FAC/fac_menu.inc
+++ b/APPL/FAC/fac_menu.inc
@@ -104,7 +104,7 @@ function CreateItems(menuItems, pmode, start_collapsed, max_lines)
                showtxt += " <span class='guicnt'>({0})</span>".format(guiarr[itm.href]);
        }
        var unpin = (itm.orggroep == MENU.FAV && pmode != 3 // niet op portal
-                    ? "<span class='menupinned' title='" + L("lcl_current_fav_unsave") + "'"
+                    ? "<span class='menupinned' title='" + safe.htmlattr(L("lcl_current_fav_unsave")) + "'"
                        + " onclick='FcltMgr.stopPropagation(event);FcltMgr.saveFavMenu(this);'"
                        + " data-menu-key='" + (itm.menu_key || -1) + "'"
                        + " fav_ttl='" + safe.htmlattr(itm.name) + "'>"
--- a/APPL/FAC/fac_refresh_accept.asp
+++ b/APPL/FAC/fac_refresh_accept.asp
@@ -100,7 +100,7 @@ var dumpfile_timestamp = fso.getFile(dumpfile).DateLastModified;
      %>
    <form id="refreshform" name="refreshform" action="fac_refresh_accept_save.asp">
        <% MODAL_BLOCK_START("dbrefresh", L("lcl_fac_refresh_accept"), {icon: "fa-siren-on"}); %>
-        <input type="hidden" id="batfile" name="batfile" value="<%=refresh_bat%>">
+        <input type="hidden" id="batfile" name="batfile" value="<%=safe.htmlattr(refresh_bat)%>">
        <%  ROFIELDTR("fld", L("lcl_fac_refresh_dumpfile"), dumpfile);
            RWFIELDTR("emailadr", "fld mailto", L("lcl_fac_refresh_notify"), getUserEmail(), {readonly: (isscheduled?true:false)});
            ROFIELDTR("fldfacrefresh", "", isscheduled?L("lcl_fac_refresh_oldschedule").format(customerId, toDateTimeString(scheduled_timestamp)):"", {id: "accept_msg"});
--- a/APPL/FAC/fac_setenv.asp
+++ b/APPL/FAC/fac_setenv.asp
@@ -24,7 +24,7 @@ var authparams = user.checkAutorisation(autfunction);
 <%  FCLTHeader.Generate() %>
  </head>
  <body>
-<%  newenv = getQParam('env','X');
+<%  newenv = getQParamSafe('env', 'X');
    if (newenv != 'O' && newenv != 'T' && newenv != 'A' && newenv != 'P')
      newenv = 'X';
@@ -35,15 +35,15 @@ var authparams = user.checkAutorisation(autfunction);
    {
      oRs = Oracle.Execute("UPDATE fac_version SET fac_version_otap = " + safe.quoted_sql(newenv));
 %>    <script type="text/javascript">
-        FcltMgr.alert("Facilitor environment set to <%=newenv%> (was <%=oldenv%>)");
+        FcltMgr.alert("Facilitor environment set to <%=newenv%> (was <%=safe.jsstring(oldenv)%>)");
      </script>
 <%  }
    else
    { %>
      <script type="text/javascript">
-        FcltMgr.alert("Facilitor environment is <%=oldenv%>");
+        FcltMgr.alert("Facilitor environment is <%=safe.jsstring(oldenv)%>");
      </script>
 <%  } %>
  </body>
 </html>
-<% ASPPAGE_END(); %> 
+<% ASPPAGE_END(); %>
--- a/APPL/FAC/fac_widgetspage.asp
+++ b/APPL/FAC/fac_widgetspage.asp
@@ -40,25 +40,26 @@ function createWidget(p_divid, p_title, p_height, p_width, p_url, p_refreshtime)
  // more=1 adds an extra container with handles to limit or expand the view
  //  var more = p_url.indexOf("more=1") > -1;
  var more = true;
  var safe_divid = p_divid.replace(/[^_a-zA-Z0-9\-]/g, ""); // Anders moeten we wel heel vaak safe.functies aanroepen
  if (more)
  {
 %>
  <div class="widgetcontainer" style="width:<%=p_width%>%">
-    <div class="widgetx" id="<%=p_divid%>" style="width:100%;<%=(p_height ? 'height:' + p_height + 'px;' : '')%>">
+    <div class="widgetx" id="<%=safe_divid%>" style="width:100%;<%=(p_height ? 'height:' + p_height + 'px;' : '')%>">
 <%
  }
  else
  {
 %>
-    <div class="widgetx" id="<%=p_divid%>" style="width:<%=p_width%>%;height:<%=p_height%>px;float:left">
+    <div class="widgetx" id="<%=safe_divid%>" style="width:<%=p_width%>%;height:<%=p_height%>px;float:left">
 <%
  }
 %>
       <div class="widgettitlex"><%=p_title%></div>
-       <iframe src="<%=p_url%>&title_locked=1" id="<%=p_divid%>frame" name="<%=p_divid%>frame" refresher="<%=p_refreshtime%>"
+       <iframe src="<%=safe.htmlattr(p_url)%>&title_locked=1" id="<%=safe_divid%>frame" name="<%=safe_divid%>frame" refresher="<%=p_refreshtime%>"
           height="<%=(p_height - (p_title ? 20 : 0))%>px" width="100%" marginwidth="0" marginheight="0" frameborder="0" scrolling="no"
-           onload="<%=(!p_height?'FcltMgr.iframeLoaded(this);':'') + 'iframeIsLoaded(\'iframe#' + p_divid + 'frame\');' %>"
+           onload="<%=(!p_height?'FcltMgr.iframeLoaded(this);':'') + 'iframeIsLoaded(\'iframe#' + safe_divid + 'frame\');' %>"
-           onchange="<%=(more?p_divid+'ChangeEvent();':'')%>"
+           onchange="<%=(more?safe_divid+'ChangeEvent();':'')%>"
           >
      </iframe>
   </div>
@@ -66,7 +67,7 @@ function createWidget(p_divid, p_title, p_height, p_width, p_url, p_refreshtime)
  if (more)
  {
 %>
-  <div id="<%=p_divid%>carddesc" class="fcltcard carddesc disable-sort-item" style="display:block;width:100%;">
+  <div id="<%=safe_divid%>carddesc" class="fcltcard carddesc disable-sort-item" style="display:block;width:100%;">
        <table class="fcltcardtab" width="100%">
            <tbody>
                <tr>
@@ -77,7 +78,7 @@ function createWidget(p_divid, p_title, p_height, p_width, p_url, p_refreshtime)
            </tbody>
        </table>
    </div>
-    <div id="<%=p_divid%>cardasc" class="fcltcard cardasc disable-sort-item" style="display:none;width:100%;">
+    <div id="<%=safe_divid%>cardasc" class="fcltcard cardasc disable-sort-item" style="display:none;width:100%;">
        <table class="fcltcardtab" width="100%">
            <tbody>
                <tr>
@@ -91,36 +92,36 @@ function createWidget(p_divid, p_title, p_height, p_width, p_url, p_refreshtime)
    <script>
      function clickDesc(event) {
        // set container height to auto, hide carat down and show carat up
-        $("#<%=p_divid%>").css("height", "auto");
+        $("#<%=safe_divid%>").css("height", "auto");
-        $("#<%=p_divid%>carddesc").css("display", "none");
+        $("#<%=safe_divid%>carddesc").css("display", "none");
-        $("#<%=p_divid%>cardasc").css("display", "block");
+        $("#<%=safe_divid%>cardasc").css("display", "block");
      }
      function clickAsc(event) {
        // set container height to initial height, hide carat down and show carat up
-        $("#<%=p_divid%>").css("height", "<%=p_height%>px");
+        $("#<%=safe_divid%>").css("height", "<%=p_height%>px");
-        $("#<%=p_divid%>cardasc").css("display", "none");
+        $("#<%=safe_divid%>cardasc").css("display", "none");
-        $("#<%=p_divid%>carddesc").css("display", "block");
+        $("#<%=safe_divid%>carddesc").css("display", "block");
      }
-      function <%=p_divid%>ChangeEvent(event) {
+      function <%=safe_divid%>ChangeEvent(event) {
        // set div to initial height
-        $("#<%=p_divid%>").css("height", "<%=p_height%>px");
+        $("#<%=safe_divid%>").css("height", "<%=p_height%>px");
        // set explicit height of frame according to content
-        $("#<%=p_divid%>frame").css("height", $("body", $("#<%=p_divid%>frame").contents()).height());
+        $("#<%=safe_divid%>frame").css("height", $("body", $("#<%=safe_divid%>frame").contents()).height());
        // hide carats when the content fits within the div's initial height
-        if ($("#<%=p_divid%>").height() > $("#<%=p_divid%>frame").height())
+        if ($("#<%=safe_divid%>").height() > $("#<%=safe_divid%>frame").height())
        {
-          $("#<%=p_divid%>carddesc, #<%=p_divid%>cardasc").css("display", "none");
+          $("#<%=safe_divid%>carddesc, #<%=safe_divid%>cardasc").css("display", "none");
        }
        else
        {
-          $("#<%=p_divid%>carddesc").css("display", "block");
+          $("#<%=safe_divid%>carddesc").css("display", "block");
-          $("#<%=p_divid%>cardasc").css("display", "none");
+          $("#<%=safe_divid%>cardasc").css("display", "none");
        }
      }
-      $("#<%=p_divid%>carddesc td").on("click", clickDesc);
+      $("#<%=safe_divid%>carddesc td").on("click", clickDesc);
-      $("#<%=p_divid%>cardasc td").on("click", clickAsc);
+      $("#<%=safe_divid%>cardasc td").on("click", clickAsc);
      // carats default hidden
-      $("#<%=p_divid%>carddesc, #<%=p_divid%>cardasc").css("display", "none");
+      $("#<%=safe_divid%>carddesc, #<%=safe_divid%>cardasc").css("display", "none");
    </script>
  </div>
 <%
@@ -128,7 +129,7 @@ function createWidget(p_divid, p_title, p_height, p_width, p_url, p_refreshtime)
 %>
   <%if (p_refreshtime != -1 && p_refreshtime >= 60){
   %><script type='text/javascript'>
-         setReloadTimer("<%=p_divid%>frame", "<%=safe.jsstring(p_url)%>", <%=p_refreshtime%>);
+         setReloadTimer("<%=safe_divid%>frame", "<%=safe.jsstring(p_url)%>", <%=p_refreshtime%>);
     </script><%
   }
 }
--- a/APPL/FAC/menu_sort.asp
+++ b/APPL/FAC/menu_sort.asp
@@ -80,18 +80,18 @@ FCLTHeader.Requires({plugins:["jQuery"], js: ["jquery-ui.js"]})
    while (!oRs.eof)
    {
        var tekst = oRs("groep").Value + "-" + "<span style='display: inline-block;width:100px'>" + oRs("fac_menu_volgnr").Value + "</span>";
-        var label = fac.localstring(oRs("label").value);
+        var safe_label = safe.html(fac.localstring(oRs("label").value));
        if (oRs("url").Value == null)
        {
-            label = "<span class='menukop'>" +  label + "</span>";
+            safe_label = "<span class='menukop'>" +  safe_label + "</span>";
        }
-        tekst += label;
+        tekst += safe_label;
-        %><li volgnr="<%=oRs("fac_menu_volgnr").Value%>" menukey=<%=oRs("fac_menu_key").Value%>><%=tekst%></li><%
+        %><li volgnr="<%=oRs("fac_menu_volgnr").Value%>" menukey="<%=oRs("fac_menu_key").Value%>"><%=tekst%></li><%
        oRs.MoveNext();
    }
 %>
    </ul>
 </body>
 </html>
-<% ASPPAGE_END(); %> 
+<% ASPPAGE_END(); %>
--- a/APPL/FAC/prodsearch.asp
+++ b/APPL/FAC/prodsearch.asp
@@ -340,7 +340,7 @@ function suggest_box_histogram (titel, histograms, kolom, params)
 %>
  <table class="filter" width="100%">
-  <tr><th colspan="2"><%=titel%></th></tr>
+  <tr><th colspan="2"><%=safe.html(titel)%></th></tr>
 <%
    var i;
    for (i = 0; i < myhist.length && i<=20; i ++)
@@ -369,7 +369,7 @@ function suggest_box_resruimte (titel, histograms, kolom, params)
 {
 %>
  <table class="filter" width="100%">
-  <tr><th><%=titel%></th></tr>
+  <tr><th><%=safe.html(titel)%></th></tr>
  <tr><td>
 <%
    FCLTcalendar("date_from",
--- a/APPL/KPI/kpi_detail.asp
+++ b/APPL/KPI/kpi_detail.asp
@@ -92,7 +92,7 @@ while (!oRs_h.eof)
        <td colspan="2" class="kpisec_heading"><%=safe.html(h_head_naam)%></td>
      </tr>
      <tr>
-        <td class="kpiavg" style="background-color: <%=h_head_kleur%>"><%=h_head_score%></td>
+        <td class="kpiavg" style="background-color: <%=safe.htmlattr(h_head_kleur)%>"><%=h_head_score%></td>
        <td>
          <table>
 <%
@@ -135,4 +135,4 @@ oRs_h.Close();
    </table>
  </body>
 </html>
-<% ASPPAGE_END(); %> 
+<% ASPPAGE_END(); %>
--- a/APPL/MLD/mld_show_opdr.asp
+++ b/APPL/MLD/mld_show_opdr.asp
@@ -213,7 +213,7 @@ reqStatusEmptyOpdr = mld.getActieKenmerkenOpdr(reqStatusEmptyOpdr, opdr_key, {ha
      // Text strings used by mld_show_opdr.js
      var urole = "<%=urole%>";
      var opdr_key = "<%=opdr_key%>";
-      var prefix = "<%=prefix%>";
+      var prefix = "<%=safe.jsstring(prefix)%>";
      var mld_key = "<%=mld_opdr.mld_key%>";
      var volgnr = "<%=mld_opdr.volgnr%>";
      var defemail_key = "<%=defemail_key%>";
--- a/APPL/MLD/opdr_edit_uren.asp
+++ b/APPL/MLD/opdr_edit_uren.asp
@@ -696,7 +696,7 @@ if (urole != "fe" && canWrite)
            cls += " mldimpropdruren";
          }
          %><tr id="<%=idcode%>" class="<%=cls%>">
-                <td title="<%=ttl1%>"><%= txt %></td>
+                <td title="<%=safe.htmlattr(ttl1)%>"><%= txt %></td>
                <td class="colhandler"><%= safe.html(oRs("naam").Value) %></td>
                <td title="<%=safe.htmlattr(ttl)%>"><%= safe.html(oms) %></td>
          <%
--- a/APPL/MSG/msg_edit_message.asp
+++ b/APPL/MSG/msg_edit_message.asp
@@ -101,7 +101,7 @@ if( lBestaandBericht ) {  // Dit moet/zal altijd een reply zijn!
        FcltMgr.alert(L("lcl_shared_validator_missing"));
        return false;
    }
-        
+
    // We voorkomen:  @@todo
    // - leeg bericht (subject en/of body)
    // - bericht zonder extra bevestiging naar iedereen
@@ -146,14 +146,14 @@ if( lBestaandBericht ) {  // Dit moet/zal altijd een reply zijn!
 </head>
 <body class="editmode">
-<% SUBFRAME_START(); 
+<% SUBFRAME_START();
 var buttons = [{ icon: "fa-fclt-save", title: L("lcl_mes_send"), action: 'checkInput()' },
                   { icon: "fa-fclt-cancel",    title: L("lcl_cancel"),   action:"FcltMgr.closeDetail(window, { cancel: true } );" } ];
    IFRAMER_HEADER(L("lcl_mes_message"), buttons);%>
-  <form name="u2" 
+  <form name="u2"
-        action="msg_message_save.asp?message_reply=<%=message_reply?1:0%>&message_key=<%=message_key%>" 
+        action="msg_message_save.asp?message_reply=<%=message_reply?1:0%>&message_key=<%=message_key%>"
        method="post">
 <%
@@ -210,7 +210,7 @@ var buttons = [{ icon: "fa-fclt-save", title: L("lcl_mes_send"), action: 'checkI
 %>
  <tr>
    <td class="label"><label><%=L("lcl_mes_link")%></label></td>
-    <td colspan="3"><a class="fldmsgurl" href="<%=safe.htmlattr(ilink)%>" target="_blank" rel="noopener noreferrer"><%=ilink%></a></td>
+    <td colspan="3"><a class="fldmsgurl" href="<%=safe.htmlattr(ilink)%>" target="_blank" rel="noopener noreferrer"><%=safe.html(ilink)%></a></td>
  </tr>
 <% }
@@ -265,4 +265,4 @@ IFACE.FORM_END();
 <% SUBFRAME_END(); %>
 </body>
 </html>
-<% ASPPAGE_END(); %> 
+<% ASPPAGE_END(); %>
--- a/APPL/PDA/catering_looplijst.asp
+++ b/APPL/PDA/catering_looplijst.asp
@@ -219,7 +219,7 @@ function looplijst_sql(gebouw_key, datum, met_mld, met_obj, met_cat)
              method="post">
 <%
            var gebouw_key = user.alg_gebouw_key({withcurrent:true});
-            var sql = looplijst_sql(gebouw_key, datum, met_mld, met_obj, met_cat); // objecten of verbruiksartikele
+            var sql = looplijst_sql(gebouw_key, datum, met_mld, met_obj, met_cat); // objecten of verbruiksartikelen
            CATLIST_START("cat_list", false)
            var oRs = Oracle.Execute(sql);
@@ -246,7 +246,7 @@ function looplijst_sql(gebouw_key, datum, met_mld, met_obj, met_cat)
                    var catobj = (met_obj ? L("lcl_res_daglijst_middelen") : L("lcl_res_daglijst_artikelen"));
 %>
                    <li class="ui-field-contain">
-                        <a href='#' onclick="start_cat('<%=lastLink%>')">
+                        <a href='#' onclick="start_cat('<%=safe.jsstring(lastLink)%>')">
                        <div>
                            <p class="ui-li-count ui-li-aside"><%=L("lcl_res_daglijst_geleverd")%>:&nbsp;<%=(oRs("geleverd").Value==1?L("lcl_Yes"):L("lcl_No"))%></p>
                            <div>
--- a/APPL/PDA/iface.inc
+++ b/APPL/PDA/iface.inc
@@ -620,11 +620,11 @@ function CATLIST_ARTIKEL(p_cat_id, params)
        var vlabel = "<label class='ed' for='inpb_g_"+p_cat_id + "'> " + L("lcl_res_daglijst_geleverd") + "</label>";
 %>
    <li class="ui-field-contain">
-            <img alt="<%=safe.htmlattr(L("lcl_res_article"))%>" src="<%=params.image%>"/>
+            <img alt="<%=safe.htmlattr(L("lcl_res_article"))%>" src="<%=safe.htmlattr(params.image)%>"/>
            <h3 class="c1"><%=safe.html(params.omschrijving)%></h3>
            <div style="display: inline-block">
                <div class="subheader">
-                    <div class="listbodytext"><%=L("lcl_count")%>:&nbsp<%=params.aantal%></div>
+                    <div class="listbodytext"><%=L("lcl_count")%>:&nbsp;<%=params.aantal%></div>
                </div>
                <label class='ed' for="inpb_g_<%=p_cat_id%>"><%=L("lcl_res_daglijst_geleverd")%></label>
                <input type="checkbox" id="inpb_g_<%=p_cat_id%>" name="inpb_g_<%=p_cat_id%>"
--- a/APPL/PDA/mld_list.asp
+++ b/APPL/PDA/mld_list.asp
@@ -502,7 +502,7 @@ var canAdd = addparams && addparams.ALGwritelevel;
            + (srtdisc_key > -1? "&srtdisc=" + srtdisc_key : "")
            + "&fase=" + fase
            + "&actiecodeFE=" + actiecodeFE
-            + (actiecodeATT == "on" ? "&actiecodeATT=" + actiecodeATT : "")
+            + (actiecodeATT == "on" ? "&actiecodeATT=on" : "")
            + "&searchtekst=" + safe.urlUTF8(searchtekst)
            for (flagkey=0; flagkey < S("mld_melding_flags"); flagkey++)