From: Kevin Decherf <kevin@kdecherf.com>
Date: Sun, 23 Sep 2018 20:46:09 +0000 (+0200)
Subject: views: escape piwik host and siteId to prevent XSS
X-Git-Url: https://git.immae.eu/?p=github%2Fwallabag%2Fwallabag.git;a=commitdiff_plain;h=66697b29b9fce63deccbed391c406c02a2a34dd2

views: escape piwik host and siteId to prevent XSS

Fixes CVE-2018-11352

Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
---

diff --git a/src/Wallabag/CoreBundle/Resources/views/base.html.twig b/src/Wallabag/CoreBundle/Resources/views/base.html.twig
index 2499bb88..49861946 100644
--- a/src/Wallabag/CoreBundle/Resources/views/base.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/base.html.twig
@@ -69,7 +69,7 @@
         {% block footer %}{% endblock %}
 
         {% if craue_setting('piwik_enabled') %}
-            {{ piwik(craue_setting('piwik_host'), craue_setting('piwik_site_id')) }}
+            {{ piwik(craue_setting('piwik_host')|e('html_attr'), craue_setting('piwik_site_id')|e('html_attr')) }}
         {% endif %}
     </body>
 </html>