Fixed possible JS injection via the title edition

[github/wallabag/wallabag.git] / src / Wallabag / CoreBundle / Resources / views / themes / material / Entry / _card_preview.html.twig

diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_preview.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_preview.html.twig
index b0e3c06de2c1b34683f1256dabdc0cb90050cf89..d23be4d0927613538a57df296bde59459d15e988 100644 (file)
--- a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_preview.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_preview.html.twig
@@ -13,8 +13,8 @@
             <i class="grey-text text-darken-4 activator material-icons right">more_vert</i>
 
             <span class="card-title dot-ellipsis dot-resize-update">
-                <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}">
-                    {{ entry.title| striptags | truncate(80, true, '…') | raw }}
+                <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}">
+                    {{ entry.title | e | striptags | truncate(80, true, '…') | raw }}
                 </a>
             </span>
 
@@ -29,8 +29,8 @@
     <div class="card-reveal">
         <i class="card-title activator grey-text text-darken-4 material-icons right">clear</i>
         <span class="card-title">
-            <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}">
-                {{ entry.title | raw | striptags | truncate(80, true, '…') }}
+            <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}">
+                {{ entry.title | e | raw | striptags | truncate(80, true, '…') }}
             </a>
         </span>