Fixed possible JS injection via the title edition

[github/wallabag/wallabag.git] / src / Wallabag / CoreBundle / Resources / views / themes / baggy / Entry / entries.html.twig

diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig
index 56a0faacfb09247619e18ed9c9aff2ac170c6574..4679714e6398355bcdf5355dd04ece6db626821f 100644 (file)
--- a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig
@@ -23,7 +23,7 @@
 
     {% for entry in entries %}
         <div id="entry-{{ entry.id|e }}" class="entry">
-            <h2><a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title|raw }}">{{ entry.title|raw }}</a></h2>
+            <h2><a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title|e|raw }}">{{ entry.title|e|raw }}</a></h2>
 
             {% set readingTime = entry.readingTime / app.user.config.readingSpeed %}
             <div class="estimatedTime">
@@ -60,7 +60,7 @@
                     <li><a href="{{ path('tag_entries', {'slug': tag.slug}) }}">{{ tag.label }}</a></li>
                 {% endfor %}
                 </ul>
-                <img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|raw }}" />
+                <img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|e|raw }}" />
             {% endif %}
         </div>
     {% endfor %}