]> git.immae.eu Git - github/shaarli/Shaarli.git/commit - index.php
projects / github / shaarli / Shaarli.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 0923a2b) | patch
Working on shaarli/Shaarli#224 228/head
authorArthurHoaro <arthur@hoa.ro>
Thu, 11 Jun 2015 11:53:27 +0000 (13:53 +0200)
committerArthurHoaro <arthur@hoa.ro>
Tue, 23 Jun 2015 14:35:36 +0000 (16:35 +0200)
commit5f85fcd863fe261921953ea3bd1742f3e1b7cf68
tree5615922c1c696ec04cc60625a8d401b2b297a462tree | snapshot
parent0923a2bc1b097bf1def882722db489d83d95c423commit | diff
Working on shaarli/Shaarli#224

I reviewed character escaping everywhere with the following ideas:

  * use a single common function to escape user data: `escape` using `htmlspecialchars`.
  * sanitize fields in `index.php` after reading them from datastore and before sending them to templates.
   It means no escaping function in Twig templates.
    2 reasons:
    * it reduces risks of security issue for future user made templates
    * more readable templates
  * sanitize user configuration fields after loading them.
12 files changed:
application/LinkDB.php diff | blob | blame | history
index.php diff | blob | blame | history
tpl/daily.html diff | blob | blame | history
tpl/dailyrss.html diff | blob | blame | history
tpl/editlink.html diff | blob | blame | history
tpl/import.html diff | blob | blame | history
tpl/linklist.html diff | blob | blame | history
tpl/loginform.html diff | blob | blame | history
tpl/page.footer.html diff | blob | blame | history
tpl/page.header.html diff | blob | blame | history
tpl/picwall.html diff | blob | blame | history
tpl/tagcloud.html diff | blob | blame | history
The personal, minimalist, super-fast, database free, bookmarking service - community repo