Escape weird characters in templates
authorJean-Michel Vourgère <jvourger@greenpeace.org>
Sat, 25 Feb 2017 21:04:55 +0000 (10:04 +1300)
committerJean-Michel Vourgère <jvourger@greenpeace.org>
Thu, 9 Mar 2017 18:06:30 +0000 (18:06 +0000)
This fixes a bunch of security issues

squasher.php
templates/admin.tpl
templates/index.tpl
templates/login.tpl
templates/logs.tpl
templates/udmin.tpl

index cfd2ade437535c65a6b34a9e17e4b7b2a56e46af..eaa1b543b2a90d2c935f011aace7289d6a5c7a81 100644 (file)
@@ -230,7 +230,7 @@ if (@$_GET['f']) {
 
 
        //set base folders
-       $basepath['/'] = '&nbsp;top&nbsp;';
+       $basepath['/'] = 'top';
        $bpath = '';
        foreach (explode('/', $subf) as $key => $value) {
                if ($value != '') {
index 26aa327a5417ed4e584d77b330c762226e3439a2..e78c024160700709cc5b01ec7c6a5a02bb7d0b86 100644 (file)
@@ -13,7 +13,7 @@
 <body>
 <div class="wrappercontainer">
 
-       <div class="banner">&nbsp;<div class="control">{if $user_level > 99}<a href="?">home</a>&nbsp;|&nbsp;<a href="?tools=access">access</a>&nbsp;|&nbsp;<a href="?tools=users">users</a>&nbsp;|&nbsp;<a href="?tools=logs">logs</a>&nbsp;|{/if}&nbsp;<a href="index.php?tools=logout">logout({$user_name})</a>&nbsp;</div></div>
+       <div class="banner">&nbsp;<div class="control">{if $user_level > 99}<a href="?">home</a>&nbsp;|&nbsp;<a href="?tools=access">access</a>&nbsp;|&nbsp;<a href="?tools=users">users</a>&nbsp;|&nbsp;<a href="?tools=logs">logs</a>&nbsp;|{/if}&nbsp;<a href="index.php?tools=logout">logout({$user_name|escape})</a>&nbsp;</div></div>
 
        <div class="menucontainer">
 
@@ -21,7 +21,7 @@
 
                        <div class="menuhead">users</div>
 
-                       {foreach item=user key=user_id from=$users}<a {if $user_id eq $edited_user}class="selected"{/if} href="?tools=access&user={$user.id}">{$user.name}</a>{/foreach}
+                       {foreach item=user key=user_id from=$users}<a {if $user_id eq $edited_user}class="selected"{/if} href="?tools=access&amp;user={$user.id|escape:'url'}">{$user.name|escape}</a>{/foreach}
 
                </div>
 
@@ -38,7 +38,7 @@
 
        <form method='post'>
        <input type='hidden' name='formtype' value='folderrights' />
-       <input type='hidden' name='edited_user' value={$edited_user} />
+       <input type='hidden' name='edited_user' value='{$edited_user|escape}' />
        {$layout}
 
        <div style='float:left;'><input type='submit' value='Save'/></div>
index 2f999f0b44b8300f06296894c6fc491196a57f63..51afa03210e68ed1fb20e07487a3186c000ff227 100644 (file)
@@ -24,7 +24,7 @@
 <body>
 <div class="wrappercontainer">
 
-       <div class="banner">&nbsp;<div class="control">{if $user_level > 99}<a href="?">home</a>&nbsp;|&nbsp;<a href="?tools=access">access</a>&nbsp;|&nbsp;<a href="?tools=users">users</a>&nbsp;|&nbsp;<a href="?tools=logs">logs</a>&nbsp;|{/if}&nbsp;<a href="index.php?tools=logout">logout({$user_name})</a>&nbsp;</div></div>
+       <div class="banner">&nbsp;<div class="control">{if $user_level > 99}<a href="?">home</a>&nbsp;|&nbsp;<a href="?tools=access">access</a>&nbsp;|&nbsp;<a href="?tools=users">users</a>&nbsp;|&nbsp;<a href="?tools=logs">logs</a>&nbsp;|{/if}&nbsp;<a href="index.php?tools=logout">logout({$user_name|escape})</a>&nbsp;</div></div>
 
        <div class="menucontainer">
 
@@ -32,7 +32,7 @@
        
                        <div class="menuhead">current folder</div>
        
-                       {foreach item=crumb key=cookie from=$base}<a href="?path={$cookie}">{$crumb}</a>{/foreach}
+                       {foreach item=crumb key=cookie from=$base}<a href="?path={$cookie|escape:'url'}">{$crumb|escape}</a>{/foreach}
        
                </div>
        
@@ -40,7 +40,7 @@
        
                        <div class="menuhead">subfolders</div>
        
-                       {foreach item=folder key=folderpath from=$subfolders}<a href="?path={$folderpath}">{$folder}</a>{/foreach}
+                       {foreach item=folder key=folderpath from=$subfolders}<a href="?path={$folderpath|escape:'url'}">{$folder|escape}</a>{/foreach}
        
                </div>
        
 {if $item.hidden eq false OR $user_level > 99 }
                <div class={if $item.finished==true}"status3"{elseif $item.finished!=true && $item.embedable==true}"status2"{elseif $item.finished!=true && $item.embedable!=true}"status1"{else}"item"{/if}>
 
-                       <div class="name">{$item.name} {if $user_level > 99}{if $item.hidden}<font color=red>|<a href='?tools=unhide&h={$id}'>publish</a>|</font>{else}<font color=green>|<a href='?tools=hide&h={$id}'>hide</a>|</font>{/if}{if $user_level > 100}<font color=red>|<a href='?tools=delete&h={$id}' onClick="javascript:return confirm('Are you sure you want to permanently delete {$item.name}?')">delete</a>|</font>{/if}{/if}</div>
+                       <div class="name">{$item.name|escape} {if $user_level > 99}{if $item.hidden}<font color=red>|<a href='?tools=unhide&amp;h={$id|escape:'url'}'>publish</a>|</font>{else}<font color=green>|<a href='?tools=hide&amp;h={$id|escape:'url'}'>hide</a>|</font>{/if}{if $user_level > 100}<font color=red>|<a href='?tools=delete&amp;h={$id|escape:'url'}' onClick="javascript:return confirm('Are you sure you want to permanently delete {$item.name|escape:'quotes'}?')">delete</a>|</font>{/if}{/if}</div>
 
-                       <div class="status">status: {$item.status}</div>
+                       <div class="status">status: {$item.status|escape}</div>
 
                        <div class="clear"></div>
 
-                       <div class="added">added: {$item.date}</div>
+                       <div class="added">added: {$item.date|escape}</div>
                
-                       <div class="size">size:&nbsp;{if $item.size>(1024*1024)}{math equation="((x / 1024) / 1024) * (y / z)" x=$item.size y=$item.chunks_finished z=$item.chunks format="%.2f"}&nbsp;/&nbsp;{math equation="(x / 1024) / 1024" x=$item.size format="%.2f"}mb{elseif $item.size>(1024)}{math equation="(x / 1024) * (y / z)" x=$item.size y=$item.chunks_finished z=$item.chunks format="%.2f"}&nbsp;/&nbsp;{math equation="(x / 1024)" x=$item.size format="%.2f"}kb{else}{math equation="x * (y / z)" x=$item.size y=$item.chunks_finished z=$item.chunks format="%.0f"}&nbsp;/&nbsp;{$item.size}b{/if}({math equation="(y / x) * 100" x=$item.chunks y=$item.chunks_finished format="%.0f"}%)</div>
+                       <div class="size">size:&nbsp;{if $item.size>(1024*1024)}{math equation="((x / 1024) / 1024) * (y / z)" x=$item.size y=$item.chunks_finished z=$item.chunks format="%.2f"}&nbsp;/&nbsp;{math equation="(x / 1024) / 1024" x=$item.size format="%.2f"}mb{elseif $item.size>(1024)}{math equation="(x / 1024) * (y / z)" x=$item.size y=$item.chunks_finished z=$item.chunks format="%.2f"}&nbsp;/&nbsp;{math equation="(x / 1024)" x=$item.size format="%.2f"}kb{else}{math equation="x * (y / z)" x=$item.size y=$item.chunks_finished z=$item.chunks format="%.0f"}&nbsp;/&nbsp;{$item.size|escape}b{/if}({math equation="(y / x) * 100" x=$item.chunks y=$item.chunks_finished format="%.0f"}%)</div>
 
                        <div class="clear"></div>
 
-                       <div class="updated">last updated: {$item.lastchange}</div>
+                       <div class="updated">last updated: {$item.lastchange|escape}</div>
 
 
 {if $item.finished==true}
-                       <div class="download"><a href='?f={$id}'>download</a></div>
+                       <div class="download"><a href='?f={$id|escape:'url'}'>download</a></div>
 {/if}
 {if $item.embedable eq true and $item.finished eq false}
        {if $item.mime=='video/mpeg'}
-                       <div class="stream"><a href='?f={$id}'>download ({math equation="(y / x) * 100" x=$item.chunks y=$item.chunks_partial format="%.0f"}%)</a></div>
+                       <div class="stream"><a href='?f={$id|escape:'url'}'>download ({math equation="(y / x) * 100" x=$item.chunks y=$item.chunks_partial format="%.0f"}%)</a></div>
        {/if}
 {/if}
 
 {if $item.hidden eq false OR $user_level > 99 }
                <div class={if $item.finished==true}"status3"{elseif $item.finished!=true && $item.embedable==true}"status2"{elseif $item.finished!=true && $item.embedable!=true}"status1"{else}"item"{/if}>
 
-                       <div class="name">{$item.name} {if $user_level > 99}{if $item.hidden}<font color=red>|<a href='?tools=unhide&h={$id}'>publish</a>|</font>{else}<font color=green>|<a href='?tools=hide&h={$id}'>hide</a>|</font>{/if}{if $user_level > 199}<font color=red>|<a href='?tools=delete&h={$id}' onClick="javascript:return confirm('Are you sure you want to permanently delete {$item.name}?')">delete</a>|</font>{/if}{/if}</div>
+                       <div class="name">{$item.name|escape} {if $user_level > 99}{if $item.hidden}<font color=red>|<a href='?tools=unhide&amp;h={$id|escape:'url'}'>publish</a>|</font>{else}<font color=green>|<a href='?tools=hide&amp;h={$id|escape:'url'}'>hide</a>|</font>{/if}{if $user_level > 199}<font color=red>|<a href='?tools=delete&amp;h={$id|escape:'url'}' onClick="javascript:return confirm('Are you sure you want to permanently delete {$item.name|escape:'quotes'}?')">delete</a>|</font>{/if}{/if}</div>
 
-                       <div class="status">status: {$item.status}</div>
+                       <div class="status">status: {$item.status|escape}</div>
 
                        <div class="clear"></div>
 
-                       <div class="added">added: {$item.date}</div>
+                       <div class="added">added: {$item.date|escape}</div>
 
-                       <div class="size">size:&nbsp;{if $item.size>(1024*1024)}{math equation="(x / 1024) / 1024" x=$item.size format="%.2f"}mb{elseif $item.size>(1024)}{math equation="(x / 1024)" x=$item.size format="%.2f"}kb{else}{$item.size}b{/if}</div>
+                       <div class="size">size:&nbsp;{if $item.size>(1024*1024)}{math equation="(x / 1024) / 1024" x=$item.size format="%.2f"}mb{elseif $item.size>(1024)}{math equation="(x / 1024)" x=$item.size format="%.2f"}kb{else}{$item.size|escape}b{/if}</div>
 
                        <div class="clear"></div>
 
-                       <div class="updated">last updated: {$item.lastchange}</div>
+                       <div class="updated">last updated: {$item.lastchange|escape}</div>
 
 
 {if $item.finished==true}
-                       <div class="download"><a href='?f={$id}'>download</a></div>
+                       <div class="download"><a href='?f={$id|escape:'url'}'>download</a></div>
 {/if}
 {if $item.embedable eq true and $item.finished eq false}
        {if $item.mime=='video/mpeg'}
-                       <div class="stream"><a href='?f={$id}'>download (partial)</a></div>
+                       <div class="stream"><a href='?f={$id|escape:'url'}'>download (partial)</a></div>
        {/if}
 {/if}
 
 {if $user_level > 100 and $mass_delete_size > 1}
                <div class="massdelete"><br>
                        <div class="deletebox" id="deletebox">
-                               <form name="deletetool" action="?tools=delete&h=multiple" method="post" onSubmit='return confirm("Are you sure you want to delete the selected files? \nThis page may take a while to reload while the files are removed.");'>
-                                       <select multiple="" size="{$mass_delete_size}" id="h" name="h[]" width="300px">
+                               <form name="deletetool" action="?tools=delete&amp;h=multiple" method="post" onSubmit='return confirm("Are you sure you want to delete the selected files? \nThis page may take a while to reload while the files are removed.");'>
+                                       <select multiple="" size="{$mass_delete_size|escape}" id="h" name="h[]" width="300px">
                                                {foreach item=item key=id from=$squashed}
-                                               <option value="{$id}" title="{$item.name}">{$item.name|truncate:39}</option>
+                                               <option value="{$id|escape}" title="{$item.name|escape}">{$item.name|truncate:39|escape}</option>
                                                {/foreach}
                                        </select>
                                        <input type="button" value="Select All" OnClick="selectAllList();" ><input type="reset" value="Clear"><input type="submit" value="Delete Selected Items">
index 9188ce462e6af914d15ff4d7d462327c6d02a64a..f52ff3317108bce2c83cd6f0807c4f71f2d87999 100644 (file)
@@ -7,7 +7,7 @@
 <script type="text/javascript" src="js/md5.js"></script>
 <script language="javascript">
 function hasher(){ldelim}
-       var salt = '{$salt}';
+       var salt = '{$salt|escape:'quotes'}';
        document.loginform.pass.value=hex_md5(hex_md5(document.loginform.pass.value)+salt);
 {rdelim}
 </script>
index 4d7b810545b557effb80d4f50c1ef315cf3b9e50..fc9b4ec320d36725e64408fe5e9bc543a702b60d 100644 (file)
@@ -8,7 +8,7 @@
 <body>
 <div class="wrappercontainer">
 
-       <div class="banner">&nbsp;<div class="control">{if $user_level > 99}<a href="?">home</a>&nbsp;|&nbsp;<a href="?tools=access">access</a>&nbsp;|&nbsp;<a href="?tools=users">users</a>&nbsp;|&nbsp;<a href="?tools=logs">logs</a>&nbsp;|{/if}&nbsp;<a href="index.php?tools=logout">logout({$user_name})</a>&nbsp;</div></div>
+       <div class="banner">&nbsp;<div class="control">{if $user_level > 99}<a href="?">home</a>&nbsp;|&nbsp;<a href="?tools=access">access</a>&nbsp;|&nbsp;<a href="?tools=users">users</a>&nbsp;|&nbsp;<a href="?tools=logs">logs</a>&nbsp;|{/if}&nbsp;<a href="index.php?tools=logout">logout({$user_name|escape})</a>&nbsp;</div></div>
 
        <div class="menucontainer">
 
 
                        <div class="menuhead">logs</div>
 
-                       <a {if $logtype eq "all"     }class="selected"{/if} href="?tools=logs&logtype=all"     >all</a>
-                       <a {if $logtype eq "delete"  }class="selected"{/if} href="?tools=logs&logtype=delete"  >delete</a>
-                       <a {if $logtype eq "download"}class="selected"{/if} href="?tools=logs&logtype=download">download</a>
-                       <a {if $logtype eq "login"   }class="selected"{/if} href="?tools=logs&logtype=login"   >login</a>
-                       <a {if $logtype eq "debug"   }class="selected"{/if} href="?tools=logs&logtype=debug"   >squasher</a>
+                       <a {if $logtype eq "all"     }class="selected"{/if} href="?tools=logs&amp;logtype=all"     >all</a>
+                       <a {if $logtype eq "delete"  }class="selected"{/if} href="?tools=logs&amp;logtype=delete"  >delete</a>
+                       <a {if $logtype eq "download"}class="selected"{/if} href="?tools=logs&amp;logtype=download">download</a>
+                       <a {if $logtype eq "login"   }class="selected"{/if} href="?tools=logs&amp;logtype=login"   >login</a>
+                       <a {if $logtype eq "debug"   }class="selected"{/if} href="?tools=logs&amp;logtype=debug"   >squasher</a>
 
                </div>
 
    </tr>
 
 {foreach item=entry from=$logs.today key=id}
-   <tr class="logentry_{$entry.action}" align="left">
-    <td width='160px'>&nbsp;{$entry.date}</td>
-    <td width='40px' >&nbsp;{$entry.user_name}</td>
-    <td width='120px' title="{$entry.users_from_ip}">&nbsp;{$entry.ip}</td>
-    <td width='80px' >&nbsp;{$entry.action}</td>
-    <td width='*' title="{$entry.file|substr:10}{if $entry.ip eq 'retry'}\n : This file did not pass validation. A request was mailed to the RO to restart the upload.{/if}{if $entry.ip eq 'cleanup'}\n : This file entry was missing all chunks. This entry was removed.{/if}">&nbsp;{$entry.file|substr:10:64}</td>
+   <tr class="logentry_{$entry.action|escape}" align="left">
+    <td width='160px'>&nbsp;{$entry.date|escape}</td>
+    <td width='40px' >&nbsp;{$entry.user_name|escape}</td>
+    <td width='120px' title="{$entry.users_from_ip|escape}">&nbsp;{$entry.ip|escape}</td>
+    <td width='80px' >&nbsp;{$entry.action|escape}</td>
+    <td width='*' title="{$entry.file|substr:10|escape}{if $entry.ip eq 'retry'}\n : This file did not pass validation. A request was mailed to the RO to restart the upload.{/if}{if $entry.ip eq 'cleanup'}\n : This file entry was missing all chunks. This entry was removed.{/if}">&nbsp;{$entry.file|substr:10:64|escape}</td>
    </tr>
 {foreachelse}
    <tr class="logentry_empty">
     <td width='*' colspan="5">Yesterday</td>
    </tr>
 
-{foreach item=entry from=$logs.yesterday key=id}   <tr class="logentry_{$entry.action}" align="left">
-    <td width='160px'>&nbsp;{$entry.date}</td>
-    <td width='40px' >&nbsp;{$entry.user_name}</td>
-    <td width='120px' title="{$entry.users_from_ip}">&nbsp;{$entry.ip}</td>
-    <td width='80px'>&nbsp;{$entry.action}</td>
-    <td width='*' title="{$entry.file|substr:10}{if $entry.ip eq 'retry'}\n : This file did not pass validation. A request was mailed to the RO to restart the upload.{/if}{if $entry.ip eq 'cleanup'}\n : This file entry was missing all chunks. This entry was removed.{/if}">&nbsp;{$entry.file|substr:10:64}</td>
+{foreach item=entry from=$logs.yesterday key=id}   <tr class="logentry_{$entry.action|escape}" align="left">
+    <td width='160px'>&nbsp;{$entry.date|escape}</td>
+    <td width='40px' >&nbsp;{$entry.user_name|escape}</td>
+    <td width='120px' title="{$entry.users_from_ip|escape}">&nbsp;{$entry.ip|escape}</td>
+    <td width='80px'>&nbsp;{$entry.action|escape}</td>
+    <td width='*' title="{$entry.file|substr:10|escape}{if $entry.ip eq 'retry'}\n : This file did not pass validation. A request was mailed to the RO to restart the upload.{/if}{if $entry.ip eq 'cleanup'}\n : This file entry was missing all chunks. This entry was removed.{/if}">&nbsp;{$entry.file|substr:10:64|escape}</td>
    </tr>
 {foreachelse}
    <tr class="logentry_empty">
    </tr>
 
 {foreach item=entry from=$logs.lastweek key=id}
-   <tr class="logentry_{$entry.action}" align="left">
-    <td width='160px'>&nbsp;{$entry.date}</td>
-    <td width='40px' >&nbsp;{$entry.user_name}</td>
-    <td width='120px' title="{$entry.users_from_ip}">&nbsp;{$entry.ip}</td>
-    <td width='80px'>&nbsp;{$entry.action}</td>
-    <td width='*' title="{$entry.file|substr:10}{if $entry.ip eq 'retry'}\n : This file did not pass validation. A request was mailed to the RO to restart the upload.{/if}{if $entry.ip eq 'cleanup'}\n : This file entry was missing all chunks. This entry was removed.{/if}">&nbsp;{$entry.file|substr:10:64}</td>
+   <tr class="logentry_{$entry.action|escape}" align="left">
+    <td width='160px'>&nbsp;{$entry.date|escape}</td>
+    <td width='40px' >&nbsp;{$entry.user_name|escape}</td>
+    <td width='120px' title="{$entry.users_from_ip|escape}">&nbsp;{$entry.ip|escape}</td>
+    <td width='80px'>&nbsp;{$entry.action|escape}</td>
+    <td width='*' title="{$entry.file|substr:10|escape}{if $entry.ip eq 'retry'}\n : This file did not pass validation. A request was mailed to the RO to restart the upload.{/if}{if $entry.ip eq 'cleanup'}\n : This file entry was missing all chunks. This entry was removed.{/if}">&nbsp;{$entry.file|substr:10:64|escape}</td>
    </tr>
 {foreachelse}
    <tr class="logentry_empty">
    </tr>
 
 {foreach item=entry from=$logs.older key=id}
-   <tr class="logentry_{$entry.action}" align="left">
-    <td width='160px'>&nbsp;{$entry.date}</td>
-    <td width='40px' >&nbsp;{$entry.user_name}</td>
-    <td width='120px' title="{$entry.users_from_ip}">&nbsp;{$entry.ip}</td>
-    <td width='80px'>&nbsp;{$entry.action}</td>
-    <td width='*' title="{$entry.file|substr:10}{if $entry.ip eq 'retry'}\n : This file did not pass validation. A request was mailed to the RO to restart the upload.{/if}{if $entry.ip eq 'cleanup'}\n : This file entry was missing all chunks. This entry was removed.{/if}">&nbsp;{$entry.file|substr:10:64}</td>
+   <tr class="logentry_{$entry.action|escape}" align="left">
+    <td width='160px'>&nbsp;{$entry.date|escape}</td>
+    <td width='40px' >&nbsp;{$entry.user_name|escape}</td>
+    <td width='120px' title="{$entry.users_from_ip|escape}">&nbsp;{$entry.ip|escape}</td>
+    <td width='80px'>&nbsp;{$entry.action|escape}</td>
+    <td width='*' title="{$entry.file|substr:10|escape}{if $entry.ip eq 'retry'}\n : This file did not pass validation. A request was mailed to the RO to restart the upload.{/if}{if $entry.ip eq 'cleanup'}\n : This file entry was missing all chunks. This entry was removed.{/if}">&nbsp;{$entry.file|substr:10:64|escape}</td>
    </tr>
 {foreachelse}
    <tr class="logentry_empty">
index 77074501fae1442f45abdee55c3d35dc731cc19e..06092caac0c9a4884bb509751e094c17205ae79d 100644 (file)
 <body>
 <div class="wrappercontainer">
 
-       <div class="banner">&nbsp;<div class="control">{if $user_level > 99}<a href="?">home</a>&nbsp;|&nbsp;<a href="?tools=access">access</a>&nbsp;|&nbsp;<a href="?tools=users">users</a>&nbsp;|&nbsp;<a href="?tools=logs">logs</a>&nbsp;|{/if}&nbsp;<a href="index.php?tools=logout">logout({$user_name})</a>&nbsp;</div></div>
+       <div class="banner">&nbsp;<div class="control">{if $user_level > 99}<a href="?">home</a>&nbsp;|&nbsp;<a href="?tools=access">access</a>&nbsp;|&nbsp;<a href="?tools=users">users</a>&nbsp;|&nbsp;<a href="?tools=logs">logs</a>&nbsp;|{/if}&nbsp;<a href="index.php?tools=logout">logout({$user_name|escape})</a>&nbsp;</div></div>
 
        <div class="content">
 
 {foreach item=user key=user_id from=$users}
-<div class="white_border"><form method='post' name='user_{$user.id}' id='user_{$user.id}'><input type='hidden' name='u[user_id]' id='user_id' value='{$user.id}' /><input type='hidden' name='type' id='type' value='' /><input name='u[user_name]' id='user_name' value='{$user.name}' readonly /> | {html_options name='u[user_level]' id='user_level' options=$user_levels selected=$user.level} | {if $user.enabled}<a onClick="document.user_{$user.id}.type.value='disable';document.user_{$user.id}.submit();" style="cursor:pointer" >remove password</a>{else}<input name='u[user_pass]' id='user_pass' /> {/if} | <a onClick="document.user_{$user.id}.type.value='delete';confirm_delete('user_{$user.id}');" style="cursor:pointer" >delete</a> | <a onClick="document.user_{$user.id}.type.value='update';document.user_{$user.id}.submit();" style="cursor:pointer" >update</a></form></div>
+<div class="white_border"><form method='post' name='user_{$user.id|escape}' id='user_{$user.id|escape}'><input type='hidden' name='u[user_id]' id='user_id' value='{$user.id|escape}' /><input type='hidden' name='type' id='type' value='' /><input name='u[user_name]' id='user_name' value='{$user.name|escape}' readonly /> | {html_options name='u[user_level]' id='user_level' options=$user_levels selected=$user.level} | {if $user.enabled}<a onClick="document.user_{$user.id}.type.value='disable';document.user_{$user.id}.submit();" style="cursor:pointer" >remove password</a>{else}<input name='u[user_pass]' id='user_pass' /> {/if} | <a onClick="document.user_{$user.id}.type.value='delete';confirm_delete('user_{$user.id}');" style="cursor:pointer" >delete</a> | <a onClick="document.user_{$user.id}.type.value='update';document.user_{$user.id}.submit();" style="cursor:pointer" >update</a></form></div>
 <div class="clear"></div>
 {/foreach}
 <div class="white_border"><form method='post' name='user_new' id='user_new'><input type='hidden' name='type' id='type' value='' /><input name='u[user_name]' value='' /> | {html_options name='u[user_level]' options=$user_levels } | <input name='u[user_pass]' /> | <a onClick="document.user_new.type.value='new';document.user_new.submit();" style="cursor:pointer" >add</a></form></div>