testbot: Always escape GetPageTitle() and GetTitle() before putting them in an HTML page.

[Francois Gouget]

---

This should fix the issue reported by Sebastian Lackner concerning, for 
instance, job 8265.

 testbot/lib/ObjectModel/CGI/CollectionPage.pm |  2 +-
 testbot/lib/ObjectModel/CGI/FormPage.pm       |  2 +-
 testbot/lib/ObjectModel/CGI/ItemPage.pm       | 13 ++-----------
 testbot/lib/ObjectModel/CGI/Page.pm           | 22 ++++++++++++++++++++++
 4 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/testbot/lib/ObjectModel/CGI/CollectionPage.pm b/testbot/lib/ObjectModel/CGI/CollectionPage.pm
index e0714bf..1652190 100644
--- a/testbot/lib/ObjectModel/CGI/CollectionPage.pm
+++ b/testbot/lib/ObjectModel/CGI/CollectionPage.pm
@@ -65,7 +65,7 @@ sub GenerateTitle($)
   my $Title = $self->GetTitle();
   if ($Title)
   {
-    print "<h1>$Title</h1>\n";
+    print "<h1>", $self->escapeHTML($Title), "</h1>\n";
   }
 }
 
diff --git a/testbot/lib/ObjectModel/CGI/FormPage.pm b/testbot/lib/ObjectModel/CGI/FormPage.pm
index 740b97e..197cdb9 100644
--- a/testbot/lib/ObjectModel/CGI/FormPage.pm
+++ b/testbot/lib/ObjectModel/CGI/FormPage.pm
@@ -87,7 +87,7 @@ sub GenerateTitle($)
   my $Title = $self->GetTitle();
   if ($Title)
   {
-    print "<h1>$Title</h1>\n";
+    print "<h1>", $self->CGI->escapeHTML($Title), "</h1>\n";
   }
 }
 
diff --git a/testbot/lib/ObjectModel/CGI/ItemPage.pm b/testbot/lib/ObjectModel/CGI/ItemPage.pm
index f434dd3..7c6b361 100644
--- a/testbot/lib/ObjectModel/CGI/ItemPage.pm
+++ b/testbot/lib/ObjectModel/CGI/ItemPage.pm
@@ -92,17 +92,8 @@ sub GetTitle($)
 {
   my ($self) = @_;
 
-  my $Title;
-  if ($self->GetParam("Key"))
-  {
-    $Title = $self->GetParam("Key");
-  }
-  else
-  {
-    $Title = "Add " . $self->{Collection}->GetItemName();
-  }
-
-  return $self->escapeHTML($Title);
+  return $self->GetParam("Key") ? $self->GetParam("Key") :
+             "Add " . $self->{Collection}->GetItemName();
 }
 
 sub DisplayProperty($$)
diff --git a/testbot/lib/ObjectModel/CGI/Page.pm b/testbot/lib/ObjectModel/CGI/Page.pm
index 7946603..2abe066 100644
--- a/testbot/lib/ObjectModel/CGI/Page.pm
+++ b/testbot/lib/ObjectModel/CGI/Page.pm
@@ -113,6 +113,17 @@ sub SetCookies($)
   $self->{PageBase}->SetCookies($self);
 }
 
+=pod
+=over 12
+
+=head1 C<GetPageTitle()>
+
+This returns the page title as put in the HTML header.
+Note that this may not be valid HTML and thus need escaping.
+
+=back
+=cut
+
 sub GetPageTitle($)
 {
   my ($self) = @_;
@@ -120,6 +131,17 @@ sub GetPageTitle($)
   return $self->{PageBase}->GetPageTitle($self);
 }
 
+=pod
+=over 12
+
+=head1 C<GetTitle()>
+
+This returns the title for the current web page or email section.
+Note that this may not be valid HTML and thus need escaping.
+
+=back
+=cut
+
 sub GetTitle($)
 {
   #my ($self) = @_;
-- 
2.0.1