Fixed possible JS injection via the title edition

[github/wallabag/wallabag.git] / src / Wallabag / CoreBundle / Resources / views / themes / material / Entry / _card_no_preview.html.twig

diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_no_preview.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_no_preview.html.twig
index 19a400b4b55f3c39700a17d74402559ebb79c88c..ed916e7987c1bbcf526670b0ffe62ad395e97587 100644 (file)
--- a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_no_preview.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_no_preview.html.twig
@@ -2,8 +2,8 @@
     <div class="card-body">
         <div class="card-content">
             <span class="card-title dot-ellipsis dot-resize-update">
-                <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}">
-                    {{ entry.title | raw | striptags | truncate(80, true, '…') }}
+                <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}">
+                    {{ entry.title | e | raw | striptags | truncate(80, true, '…') }}
                 </a>
             </span>