views: escape piwik host and siteId to prevent XSS

Fixes CVE-2018-11352

Signed-off-by: Kevin Decherf <kevin@kdecherf.com>

diff --git a/src/Wallabag/CoreBundle/Resources/views/base.html.twig b/src/Wallabag/CoreBundle/Resources/views/base.html.twig
index 2499bb887adb87f2b2b99271f47dec83b168f59d..498619466fffdcd20a11366b748b53563dae5b17 100644 (file)
--- a/src/Wallabag/CoreBundle/Resources/views/base.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/base.html.twig
@@ -69,7 +69,7 @@
         {% block footer %}{% endblock %}
 
         {% if craue_setting('piwik_enabled') %}
-            {{ piwik(craue_setting('piwik_host'), craue_setting('piwik_site_id')) }}
+            {{ piwik(craue_setting('piwik_host')|e('html_attr'), craue_setting('piwik_site_id')|e('html_attr')) }}
         {% endif %}
     </body>
 </html>