Fixed possible JS injection via the title edition

[github/wallabag/wallabag.git] / src / Wallabag / CoreBundle / Resources / views / themes / baggy / Entry / entry.html.twig

diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig
index 3689159bca64e81d70f08bebd03d6617a2641e74..8ca194f6429f71f2361619dfc2a47f23669c28ea 100644 (file)
--- a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig
@@ -1,11 +1,11 @@
 {% extends "WallabagCoreBundle::layout.html.twig" %}
 
-{% block title %}{{ entry.title|raw }} ({{ entry.domainName|removeWww }}){% endblock %}
+{% block title %}{{ entry.title|e|raw }} ({{ entry.domainName|removeWww }}){% endblock %}
 
 {% block content %}
     <div id="article">
         <header class="mbm">
-            <h1>{{ entry.title|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" class="nostyle" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1>
+            <h1>{{ entry.title|e|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" class="nostyle" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1>
         </header>
 
         <div id="article_toolbar">
@@ -67,7 +67,7 @@
             </aside>
         </div>
         {% if entry.previewPicture is not null %}
-            <div><img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|raw }}" /></div>
+            <div><img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|e|raw }}" /></div>
         {% endif %}
         <article>
             {{ entry.content | raw }}