aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2015-06-11 13:53:27 +0200
committerArthurHoaro <arthur@hoa.ro>2015-06-23 16:35:36 +0200
commit5f85fcd863fe261921953ea3bd1742f3e1b7cf68 (patch)
tree5615922c1c696ec04cc60625a8d401b2b297a462
parent0923a2bc1b097bf1def882722db489d83d95c423 (diff)
downloadShaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.gz
Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.zst
Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.zip
Working on shaarli/Shaarli#224
I reviewed character escaping everywhere with the following ideas: * use a single common function to escape user data: `escape` using `htmlspecialchars`. * sanitize fields in `index.php` after reading them from datastore and before sending them to templates. It means no escaping function in Twig templates. 2 reasons: * it reduces risks of security issue for future user made templates * more readable templates * sanitize user configuration fields after loading them.
-rw-r--r--application/LinkDB.php5
-rw-r--r--index.php159
-rw-r--r--tpl/daily.html4
-rw-r--r--tpl/dailyrss.html6
-rw-r--r--tpl/editlink.html10
-rw-r--r--tpl/import.html4
-rw-r--r--tpl/linklist.html10
-rw-r--r--tpl/loginform.html2
-rw-r--r--tpl/page.footer.html2
-rw-r--r--tpl/page.header.html2
-rw-r--r--tpl/picwall.html2
-rw-r--r--tpl/tagcloud.html2
12 files changed, 113 insertions, 95 deletions
diff --git a/application/LinkDB.php b/application/LinkDB.php
index 137f42e5..0f7c5bfe 100644
--- a/application/LinkDB.php
+++ b/application/LinkDB.php
@@ -245,6 +245,11 @@ class LinkDB implements Iterator, Countable, ArrayAccess
245 foreach ($this->links as $link) { 245 foreach ($this->links as $link) {
246 $this->urls[$link['url']] = $link['linkdate']; 246 $this->urls[$link['url']] = $link['linkdate'];
247 } 247 }
248
249 // Escape links data
250 foreach($this->links as &$link) {
251 sanitizeLink($link);
252 }
248 } 253 }
249 254
250 /** 255 /**
diff --git a/index.php b/index.php
index 5aa7116f..39b01a2e 100644
--- a/index.php
+++ b/index.php
@@ -98,7 +98,7 @@ header("Pragma: no-cache");
98if (!is_writable(realpath(dirname(__FILE__)))) die('<pre>ERROR: Shaarli does not have the right to write in its own directory.</pre>'); 98if (!is_writable(realpath(dirname(__FILE__)))) die('<pre>ERROR: Shaarli does not have the right to write in its own directory.</pre>');
99 99
100// Handling of old config file which do not have the new parameters. 100// Handling of old config file which do not have the new parameters.
101if (empty($GLOBALS['title'])) $GLOBALS['title']='Shared links on '.htmlspecialchars(indexUrl()); 101if (empty($GLOBALS['title'])) $GLOBALS['title']='Shared links on '.escape(indexUrl());
102if (empty($GLOBALS['timezone'])) $GLOBALS['timezone']=date_default_timezone_get(); 102if (empty($GLOBALS['timezone'])) $GLOBALS['timezone']=date_default_timezone_get();
103if (empty($GLOBALS['redirector'])) $GLOBALS['redirector']=''; 103if (empty($GLOBALS['redirector'])) $GLOBALS['redirector']='';
104if (empty($GLOBALS['disablesessionprotection'])) $GLOBALS['disablesessionprotection']=false; 104if (empty($GLOBALS['disablesessionprotection'])) $GLOBALS['disablesessionprotection']=false;
@@ -111,6 +111,9 @@ if (empty($GLOBALS['titleLink'])) $GLOBALS['titleLink']='?';
111if (!is_file($GLOBALS['config']['CONFIG_FILE'])) install(); 111if (!is_file($GLOBALS['config']['CONFIG_FILE'])) install();
112 112
113require $GLOBALS['config']['CONFIG_FILE']; // Read login/password hash into $GLOBALS. 113require $GLOBALS['config']['CONFIG_FILE']; // Read login/password hash into $GLOBALS.
114$GLOBALS['title'] = !empty($GLOBALS['title']) ? escape($GLOBALS['title']) : '';
115$GLOBALS['titleLink'] = !empty($GLOBALS['titleLink']) ? escape($GLOBALS['titleLink']) : '';
116$GLOBALS['redirector'] = !empty($GLOBALS['redirector']) ? escape($GLOBALS['redirector']) : '';
114 117
115// a token depending of deployment salt, user password, and the current ip 118// a token depending of deployment salt, user password, and the current ip
116define('STAY_SIGNED_IN_TOKEN', sha1($GLOBALS['hash'].$_SERVER["REMOTE_ADDR"].$GLOBALS['salt'])); 119define('STAY_SIGNED_IN_TOKEN', sha1($GLOBALS['hash'].$_SERVER["REMOTE_ADDR"].$GLOBALS['salt']));
@@ -272,6 +275,17 @@ function nl2br_escaped($html)
272 return str_replace('>','&gt;',str_replace('<','&lt;',nl2br($html))); 275 return str_replace('>','&gt;',str_replace('<','&lt;',nl2br($html)));
273} 276}
274 277
278function escape($str) {
279 return htmlspecialchars($str, ENT_COMPAT, 'UTF-8', false);
280}
281
282function sanitizeLink(&$link) {
283 $link['url'] = escape($link['url']); // useful?
284 $link['title'] = escape($link['title']);
285 $link['description'] = escape($link['description']);
286 $link['tags'] = escape($link['tags']);
287}
288
275// In a string, converts URLs to clickable links. 289// In a string, converts URLs to clickable links.
276// Function inspired from http://www.php.net/manual/en/function.preg-replace.php#85722 290// Function inspired from http://www.php.net/manual/en/function.preg-replace.php#85722
277function text2clickable($url) 291function text2clickable($url)
@@ -651,8 +665,8 @@ class pageBuilder
651 private function initialize() 665 private function initialize()
652 { 666 {
653 $this->tpl = new RainTPL; 667 $this->tpl = new RainTPL;
654 $this->tpl->assign('newversion',checkUpdate()); 668 $this->tpl->assign('newversion',escape(checkUpdate()));
655 $this->tpl->assign('feedurl',htmlspecialchars(indexUrl())); 669 $this->tpl->assign('feedurl',escape(indexUrl()));
656 $searchcrits=''; // Search criteria 670 $searchcrits=''; // Search criteria
657 if (!empty($_GET['searchtags'])) $searchcrits.='&searchtags='.urlencode($_GET['searchtags']); 671 if (!empty($_GET['searchtags'])) $searchcrits.='&searchtags='.urlencode($_GET['searchtags']);
658 elseif (!empty($_GET['searchterm'])) $searchcrits.='&searchterm='.urlencode($_GET['searchterm']); 672 elseif (!empty($_GET['searchterm'])) $searchcrits.='&searchterm='.urlencode($_GET['searchterm']);
@@ -716,15 +730,15 @@ function showRSS()
716 $nblinksToDisplay = $_GET['nb']=='all' ? count($linksToDisplay) : max($_GET['nb']+0,1) ; 730 $nblinksToDisplay = $_GET['nb']=='all' ? count($linksToDisplay) : max($_GET['nb']+0,1) ;
717 } 731 }
718 732
719 $pageaddr=htmlspecialchars(indexUrl()); 733 $pageaddr=escape(indexUrl());
720 echo '<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/">'; 734 echo '<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/">';
721 echo '<channel><title>'.htmlspecialchars($GLOBALS['title']).'</title><link>'.$pageaddr.'</link>'; 735 echo '<channel><title>'.$GLOBALS['title'].'</title><link>'.$pageaddr.'</link>';
722 echo '<description>Shared links</description><language>en-en</language><copyright>'.$pageaddr.'</copyright>'."\n\n"; 736 echo '<description>Shared links</description><language>en-en</language><copyright>'.$pageaddr.'</copyright>'."\n\n";
723 if (!empty($GLOBALS['config']['PUBSUBHUB_URL'])) 737 if (!empty($GLOBALS['config']['PUBSUBHUB_URL']))
724 { 738 {
725 echo '<!-- PubSubHubbub Discovery -->'; 739 echo '<!-- PubSubHubbub Discovery -->';
726 echo '<link rel="hub" href="'.htmlspecialchars($GLOBALS['config']['PUBSUBHUB_URL']).'" xmlns="http://www.w3.org/2005/Atom" />'; 740 echo '<link rel="hub" href="'.escape($GLOBALS['config']['PUBSUBHUB_URL']).'" xmlns="http://www.w3.org/2005/Atom" />';
727 echo '<link rel="self" href="'.htmlspecialchars($pageaddr).'?do=rss" xmlns="http://www.w3.org/2005/Atom" />'; 741 echo '<link rel="self" href="'.$pageaddr.'?do=rss" xmlns="http://www.w3.org/2005/Atom" />';
728 echo '<!-- End Of PubSubHubbub Discovery -->'; 742 echo '<!-- End Of PubSubHubbub Discovery -->';
729 } 743 }
730 $i=0; 744 $i=0;
@@ -734,16 +748,16 @@ function showRSS()
734 $link = $linksToDisplay[$keys[$i]]; 748 $link = $linksToDisplay[$keys[$i]];
735 $guid = $pageaddr.'?'.smallHash($link['linkdate']); 749 $guid = $pageaddr.'?'.smallHash($link['linkdate']);
736 $rfc822date = linkdate2rfc822($link['linkdate']); 750 $rfc822date = linkdate2rfc822($link['linkdate']);
737 $absurl = htmlspecialchars($link['url']); 751 $absurl = $link['url'];
738 if (startsWith($absurl,'?')) $absurl=$pageaddr.$absurl; // make permalink URL absolute 752 if (startsWith($absurl,'?')) $absurl=$pageaddr.$absurl; // make permalink URL absolute
739 if ($usepermalinks===true) 753 if ($usepermalinks===true)
740 echo '<item><title>'.htmlspecialchars($link['title']).'</title><guid isPermaLink="true">'.$guid.'</guid><link>'.$guid.'</link>'; 754 echo '<item><title>'.$link['title'].'</title><guid isPermaLink="true">'.$guid.'</guid><link>'.$guid.'</link>';
741 else 755 else
742 echo '<item><title>'.htmlspecialchars($link['title']).'</title><guid isPermaLink="false">'.$guid.'</guid><link>'.$absurl.'</link>'; 756 echo '<item><title>'.$link['title'].'</title><guid isPermaLink="false">'.$guid.'</guid><link>'.$absurl.'</link>';
743 if (!$GLOBALS['config']['HIDE_TIMESTAMPS'] || isLoggedIn()) echo '<pubDate>'.htmlspecialchars($rfc822date)."</pubDate>\n"; 757 if (!$GLOBALS['config']['HIDE_TIMESTAMPS'] || isLoggedIn()) echo '<pubDate>'.escape($rfc822date)."</pubDate>\n";
744 if ($link['tags']!='') // Adding tags to each RSS entry (as mentioned in RSS specification) 758 if ($link['tags']!='') // Adding tags to each RSS entry (as mentioned in RSS specification)
745 { 759 {
746 foreach(explode(' ',$link['tags']) as $tag) { echo '<category domain="'.htmlspecialchars($pageaddr).'">'.htmlspecialchars($tag).'</category>'."\n"; } 760 foreach(explode(' ',$link['tags']) as $tag) { echo '<category domain="'.$pageaddr.'">'.$tag.'</category>'."\n"; }
747 } 761 }
748 762
749 // Add permalink in description 763 // Add permalink in description
@@ -751,10 +765,10 @@ function showRSS()
751 // If user wants permalinks first, put the final link in description 765 // If user wants permalinks first, put the final link in description
752 if ($usepermalinks===true) $descriptionlink = '(<a href="'.$absurl.'">Link</a>)'; 766 if ($usepermalinks===true) $descriptionlink = '(<a href="'.$absurl.'">Link</a>)';
753 if (strlen($link['description'])>0) $descriptionlink = '<br>'.$descriptionlink; 767 if (strlen($link['description'])>0) $descriptionlink = '<br>'.$descriptionlink;
754 echo '<description><![CDATA['.nl2br(keepMultipleSpaces(text2clickable(htmlspecialchars($link['description'])))).$descriptionlink.']]></description>'."\n</item>\n"; 768 echo '<description><![CDATA['.nl2br(keepMultipleSpaces(text2clickable($link['description']))).$descriptionlink.']]></description>'."\n</item>\n";
755 $i++; 769 $i++;
756 } 770 }
757 echo '</channel></rss><!-- Cached version of '.htmlspecialchars(pageUrl()).' -->'; 771 echo '</channel></rss><!-- Cached version of '.escape(pageUrl()).' -->';
758 772
759 $cache->cache(ob_get_contents()); 773 $cache->cache(ob_get_contents());
760 ob_end_flush(); 774 ob_end_flush();
@@ -779,7 +793,6 @@ function showATOM()
779 793
780 $LINKSDB = new LinkDB(isLoggedIn() || $GLOBALS['config']['OPEN_SHAARLI']); // Read links from database (and filter private links if used it not logged in). 794 $LINKSDB = new LinkDB(isLoggedIn() || $GLOBALS['config']['OPEN_SHAARLI']); // Read links from database (and filter private links if used it not logged in).
781 795
782
783 // Optionally filter the results: 796 // Optionally filter the results:
784 $linksToDisplay=array(); 797 $linksToDisplay=array();
785 if (!empty($_GET['searchterm'])) $linksToDisplay = $LINKSDB->filterFulltext($_GET['searchterm']); 798 if (!empty($_GET['searchterm'])) $linksToDisplay = $LINKSDB->filterFulltext($_GET['searchterm']);
@@ -792,7 +805,7 @@ function showATOM()
792 $nblinksToDisplay = $_GET['nb']=='all' ? count($linksToDisplay) : max($_GET['nb']+0,1) ; 805 $nblinksToDisplay = $_GET['nb']=='all' ? count($linksToDisplay) : max($_GET['nb']+0,1) ;
793 } 806 }
794 807
795 $pageaddr=htmlspecialchars(indexUrl()); 808 $pageaddr=escape(indexUrl());
796 $latestDate = ''; 809 $latestDate = '';
797 $entries=''; 810 $entries='';
798 $i=0; 811 $i=0;
@@ -803,44 +816,44 @@ function showATOM()
803 $guid = $pageaddr.'?'.smallHash($link['linkdate']); 816 $guid = $pageaddr.'?'.smallHash($link['linkdate']);
804 $iso8601date = linkdate2iso8601($link['linkdate']); 817 $iso8601date = linkdate2iso8601($link['linkdate']);
805 $latestDate = max($latestDate,$iso8601date); 818 $latestDate = max($latestDate,$iso8601date);
806 $absurl = htmlspecialchars($link['url']); 819 $absurl = $link['url'];
807 if (startsWith($absurl,'?')) $absurl=$pageaddr.$absurl; // make permalink URL absolute 820 if (startsWith($absurl,'?')) $absurl=$pageaddr.$absurl; // make permalink URL absolute
808 $entries.='<entry><title>'.htmlspecialchars($link['title']).'</title>'; 821 $entries.='<entry><title>'.$link['title'].'</title>';
809 if ($usepermalinks===true) 822 if ($usepermalinks===true)
810 $entries.='<link href="'.$guid.'" /><id>'.$guid.'</id>'; 823 $entries.='<link href="'.$guid.'" /><id>'.$guid.'</id>';
811 else 824 else
812 $entries.='<link href="'.$absurl.'" /><id>'.$guid.'</id>'; 825 $entries.='<link href="'.$absurl.'" /><id>'.$guid.'</id>';
813 if (!$GLOBALS['config']['HIDE_TIMESTAMPS'] || isLoggedIn()) $entries.='<updated>'.htmlspecialchars($iso8601date).'</updated>'; 826 if (!$GLOBALS['config']['HIDE_TIMESTAMPS'] || isLoggedIn()) $entries.='<updated>'.escape($iso8601date).'</updated>';
814 827
815 // Add permalink in description 828 // Add permalink in description
816 $descriptionlink = htmlspecialchars('(<a href="'.$guid.'">Permalink</a>)'); 829 $descriptionlink = '(<a href="'.$guid.'">Permalink</a>)';
817 // If user wants permalinks first, put the final link in description 830 // If user wants permalinks first, put the final link in description
818 if ($usepermalinks===true) $descriptionlink = htmlspecialchars('(<a href="'.$absurl.'">Link</a>)'); 831 if ($usepermalinks===true) $descriptionlink = '(<a href="'.$absurl.'">Link</a>)';
819 if (strlen($link['description'])>0) $descriptionlink = '&lt;br&gt;'.$descriptionlink; 832 if (strlen($link['description'])>0) $descriptionlink = '<br>'.$descriptionlink;
820 833
821 $entries.='<content type="html">'.htmlspecialchars(nl2br(keepMultipleSpaces(text2clickable(htmlspecialchars($link['description']))))).$descriptionlink."</content>\n"; 834 $entries.='<content type="html"><![CDATA['.nl2br(keepMultipleSpaces(text2clickable($link['description']))).$descriptionlink."]]></content>\n";
822 if ($link['tags']!='') // Adding tags to each ATOM entry (as mentioned in ATOM specification) 835 if ($link['tags']!='') // Adding tags to each ATOM entry (as mentioned in ATOM specification)
823 { 836 {
824 foreach(explode(' ',$link['tags']) as $tag) 837 foreach(explode(' ',$link['tags']) as $tag)
825 { $entries.='<category scheme="'.htmlspecialchars($pageaddr,ENT_QUOTES).'" term="'.htmlspecialchars($tag,ENT_QUOTES).'" />'."\n"; } 838 { $entries.='<category scheme="'.$pageaddr.'" term="'.$tag.'" />'."\n"; }
826 } 839 }
827 $entries.="</entry>\n"; 840 $entries.="</entry>\n";
828 $i++; 841 $i++;
829 } 842 }
830 $feed='<?xml version="1.0" encoding="UTF-8"?><feed xmlns="http://www.w3.org/2005/Atom">'; 843 $feed='<?xml version="1.0" encoding="UTF-8"?><feed xmlns="http://www.w3.org/2005/Atom">';
831 $feed.='<title>'.htmlspecialchars($GLOBALS['title']).'</title>'; 844 $feed.='<title>'.$GLOBALS['title'].'</title>';
832 if (!$GLOBALS['config']['HIDE_TIMESTAMPS'] || isLoggedIn()) $feed.='<updated>'.htmlspecialchars($latestDate).'</updated>'; 845 if (!$GLOBALS['config']['HIDE_TIMESTAMPS'] || isLoggedIn()) $feed.='<updated>'.escape($latestDate).'</updated>';
833 $feed.='<link rel="self" href="'.htmlspecialchars(serverUrl().$_SERVER["REQUEST_URI"]).'" />'; 846 $feed.='<link rel="self" href="'.escape(serverUrl().$_SERVER["REQUEST_URI"]).'" />';
834 if (!empty($GLOBALS['config']['PUBSUBHUB_URL'])) 847 if (!empty($GLOBALS['config']['PUBSUBHUB_URL']))
835 { 848 {
836 $feed.='<!-- PubSubHubbub Discovery -->'; 849 $feed.='<!-- PubSubHubbub Discovery -->';
837 $feed.='<link rel="hub" href="'.htmlspecialchars($GLOBALS['config']['PUBSUBHUB_URL']).'" />'; 850 $feed.='<link rel="hub" href="'.escape($GLOBALS['config']['PUBSUBHUB_URL']).'" />';
838 $feed.='<!-- End Of PubSubHubbub Discovery -->'; 851 $feed.='<!-- End Of PubSubHubbub Discovery -->';
839 } 852 }
840 $feed.='<author><name>'.htmlspecialchars($pageaddr).'</name><uri>'.htmlspecialchars($pageaddr).'</uri></author>'; 853 $feed.='<author><name>'.$pageaddr.'</name><uri>'.$pageaddr.'</uri></author>';
841 $feed.='<id>'.htmlspecialchars($pageaddr).'</id>'."\n\n"; // Yes, I know I should use a real IRI (RFC3987), but the site URL will do. 854 $feed.='<id>'.$pageaddr.'</id>'."\n\n"; // Yes, I know I should use a real IRI (RFC3987), but the site URL will do.
842 $feed.=$entries; 855 $feed.=$entries;
843 $feed.='</feed><!-- Cached version of '.htmlspecialchars(pageUrl()).' -->'; 856 $feed.='</feed><!-- Cached version of '.escape(pageUrl()).' -->';
844 echo $feed; 857 echo $feed;
845 858
846 $cache->cache(ob_get_contents()); 859 $cache->cache(ob_get_contents());
@@ -882,18 +895,18 @@ function showDailyRSS()
882 895
883 // Build the RSS feed. 896 // Build the RSS feed.
884 header('Content-Type: application/rss+xml; charset=utf-8'); 897 header('Content-Type: application/rss+xml; charset=utf-8');
885 $pageaddr=htmlspecialchars(indexUrl()); 898 $pageaddr=escape(indexUrl());
886 echo '<?xml version="1.0" encoding="UTF-8"?><rss version="2.0">'; 899 echo '<?xml version="1.0" encoding="UTF-8"?><rss version="2.0">';
887 echo '<channel><title>Daily - '.htmlspecialchars($GLOBALS['title']).'</title><link>'.$pageaddr.'</link>'; 900 echo '<channel><title>Daily - '.$GLOBALS['title'].'</title><link>'.$pageaddr.'</link>';
888 echo '<description>Daily shared links</description><language>en-en</language><copyright>'.$pageaddr.'</copyright>'."\n"; 901 echo '<description>Daily shared links</description><language>en-en</language><copyright>'.$pageaddr.'</copyright>'."\n";
889 902
890 foreach($days as $day=>$linkdates) // For each day. 903 foreach($days as $day=>$linkdates) // For each day.
891 { 904 {
892 $daydate = utf8_encode(strftime('%A %d, %B %Y',linkdate2timestamp($day.'_000000'))); // Full text date 905 $daydate = utf8_encode(strftime('%A %d, %B %Y',linkdate2timestamp($day.'_000000'))); // Full text date
893 $rfc822date = linkdate2rfc822($day.'_000000'); 906 $rfc822date = linkdate2rfc822($day.'_000000');
894 $absurl=htmlspecialchars(indexUrl().'?do=daily&day='.$day); // Absolute URL of the corresponding "Daily" page. 907 $absurl=escape(indexUrl().'?do=daily&day='.$day); // Absolute URL of the corresponding "Daily" page.
895 echo '<item><title>'.htmlspecialchars($GLOBALS['title'].' - '.$daydate).'</title><guid>'.$absurl.'</guid><link>'.$absurl.'</link>'; 908 echo '<item><title>'.$GLOBALS['title'].' - '.$daydate.'</title><guid>'.$absurl.'</guid><link>'.$absurl.'</link>';
896 echo '<pubDate>'.htmlspecialchars($rfc822date)."</pubDate>"; 909 echo '<pubDate>'.escape($rfc822date)."</pubDate>";
897 910
898 // Build the HTML body of this RSS entry. 911 // Build the HTML body of this RSS entry.
899 $html=''; 912 $html='';
@@ -903,7 +916,7 @@ function showDailyRSS()
903 foreach($linkdates as $linkdate) 916 foreach($linkdates as $linkdate)
904 { 917 {
905 $l = $LINKSDB[$linkdate]; 918 $l = $LINKSDB[$linkdate];
906 $l['formatedDescription']=nl2br(keepMultipleSpaces(text2clickable(htmlspecialchars($l['description'])))); 919 $l['formatedDescription']=nl2br(keepMultipleSpaces(text2clickable($l['description'])));
907 $l['thumbnail'] = thumbnail($l['url']); 920 $l['thumbnail'] = thumbnail($l['url']);
908 $l['timestamp'] = linkdate2timestamp($l['linkdate']); 921 $l['timestamp'] = linkdate2timestamp($l['linkdate']);
909 if (startsWith($l['url'],'?')) $l['url']=indexUrl().$l['url']; // make permalink URL absolute 922 if (startsWith($l['url'],'?')) $l['url']=indexUrl().$l['url']; // make permalink URL absolute
@@ -917,7 +930,7 @@ function showDailyRSS()
917 echo '<description><![CDATA['.$html.']]></description>'."\n</item>\n\n"; 930 echo '<description><![CDATA['.$html.']]></description>'."\n</item>\n\n";
918 931
919 } 932 }
920 echo '</channel></rss><!-- Cached version of '.htmlspecialchars(pageUrl()).' -->'; 933 echo '</channel></rss><!-- Cached version of '.escape(pageUrl()).' -->';
921 934
922 $cache->cache(ob_get_contents()); 935 $cache->cache(ob_get_contents());
923 ob_end_flush(); 936 ob_end_flush();
@@ -929,7 +942,6 @@ function showDaily()
929{ 942{
930 $LINKSDB = new LinkDB(isLoggedIn() || $GLOBALS['config']['OPEN_SHAARLI']); // Read links from database (and filter private links if used it not logged in). 943 $LINKSDB = new LinkDB(isLoggedIn() || $GLOBALS['config']['OPEN_SHAARLI']); // Read links from database (and filter private links if used it not logged in).
931 944
932
933 $day=Date('Ymd',strtotime('-1 day')); // Yesterday, in format YYYYMMDD. 945 $day=Date('Ymd',strtotime('-1 day')); // Yesterday, in format YYYYMMDD.
934 if (isset($_GET['day'])) $day=$_GET['day']; 946 if (isset($_GET['day'])) $day=$_GET['day'];
935 947
@@ -948,10 +960,11 @@ function showDaily()
948 // We pre-format some fields for proper output. 960 // We pre-format some fields for proper output.
949 foreach($linksToDisplay as $key=>$link) 961 foreach($linksToDisplay as $key=>$link)
950 { 962 {
963
951 $taglist = explode(' ',$link['tags']); 964 $taglist = explode(' ',$link['tags']);
952 uasort($taglist, 'strcasecmp'); 965 uasort($taglist, 'strcasecmp');
953 $linksToDisplay[$key]['taglist']=$taglist; 966 $linksToDisplay[$key]['taglist']=$taglist;
954 $linksToDisplay[$key]['formatedDescription']=nl2br(keepMultipleSpaces(text2clickable(htmlspecialchars($link['description'])))); 967 $linksToDisplay[$key]['formatedDescription']=nl2br(keepMultipleSpaces(text2clickable($link['description'])));
955 $linksToDisplay[$key]['thumbnail'] = thumbnail($link['url']); 968 $linksToDisplay[$key]['thumbnail'] = thumbnail($link['url']);
956 $linksToDisplay[$key]['timestamp'] = linkdate2timestamp($link['linkdate']); 969 $linksToDisplay[$key]['timestamp'] = linkdate2timestamp($link['linkdate']);
957 } 970 }
@@ -1002,7 +1015,7 @@ function renderPage()
1002 $token=''; if (ban_canLogin()) $token=getToken(); // Do not waste token generation if not useful. 1015 $token=''; if (ban_canLogin()) $token=getToken(); // Do not waste token generation if not useful.
1003 $PAGE = new pageBuilder; 1016 $PAGE = new pageBuilder;
1004 $PAGE->assign('token',$token); 1017 $PAGE->assign('token',$token);
1005 $PAGE->assign('returnurl',(isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER']:'')); 1018 $PAGE->assign('returnurl',(isset($_SERVER['HTTP_REFERER']) ? escape($_SERVER['HTTP_REFERER']):''));
1006 $PAGE->renderPage('loginform'); 1019 $PAGE->renderPage('loginform');
1007 exit; 1020 exit;
1008 } 1021 }
@@ -1030,7 +1043,7 @@ function renderPage()
1030 // Get only links which have a thumbnail. 1043 // Get only links which have a thumbnail.
1031 foreach($links as $link) 1044 foreach($links as $link)
1032 { 1045 {
1033 $permalink='?'.htmlspecialchars(smallhash($link['linkdate']),ENT_QUOTES); 1046 $permalink='?'.escape(smallhash($link['linkdate']));
1034 $thumb=lazyThumbnail($link['url'],$permalink); 1047 $thumb=lazyThumbnail($link['url'],$permalink);
1035 if ($thumb!='') // Only output links which have a thumbnail. 1048 if ($thumb!='') // Only output links which have a thumbnail.
1036 { 1049 {
@@ -1239,8 +1252,8 @@ function renderPage()
1239 $PAGE = new pageBuilder; 1252 $PAGE = new pageBuilder;
1240 $PAGE->assign('linkcount',count($LINKSDB)); 1253 $PAGE->assign('linkcount',count($LINKSDB));
1241 $PAGE->assign('token',getToken()); 1254 $PAGE->assign('token',getToken());
1242 $PAGE->assign('title',htmlspecialchars( empty($GLOBALS['title']) ? '' : $GLOBALS['title'] , ENT_QUOTES)); 1255 $PAGE->assign('title', empty($GLOBALS['title']) ? '' : $GLOBALS['title'] );
1243 $PAGE->assign('redirector',htmlspecialchars( empty($GLOBALS['redirector']) ? '' : $GLOBALS['redirector'] , ENT_QUOTES)); 1256 $PAGE->assign('redirector', empty($GLOBALS['redirector']) ? '' : $GLOBALS['redirector'] );
1244 list($timezone_form,$timezone_js) = templateTZform($GLOBALS['timezone']); 1257 list($timezone_form,$timezone_js) = templateTZform($GLOBALS['timezone']);
1245 $PAGE->assign('timezone_form',$timezone_form); // FIXME: Put entire tz form generation in template? 1258 $PAGE->assign('timezone_form',$timezone_form); // FIXME: Put entire tz form generation in template?
1246 $PAGE->assign('timezone_js',$timezone_js); 1259 $PAGE->assign('timezone_js',$timezone_js);
@@ -1400,7 +1413,7 @@ function renderPage()
1400 $PAGE->assign('link',$link); 1413 $PAGE->assign('link',$link);
1401 $PAGE->assign('link_is_new',false); 1414 $PAGE->assign('link_is_new',false);
1402 $PAGE->assign('token',getToken()); // XSRF protection. 1415 $PAGE->assign('token',getToken()); // XSRF protection.
1403 $PAGE->assign('http_referer',(isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '')); 1416 $PAGE->assign('http_referer',(isset($_SERVER['HTTP_REFERER']) ? escape($_SERVER['HTTP_REFERER']) : ''));
1404 $PAGE->assign('tags', $LINKSDB->allTags()); 1417 $PAGE->assign('tags', $LINKSDB->allTags());
1405 $PAGE->renderPage('editlink'); 1418 $PAGE->renderPage('editlink');
1406 exit; 1419 exit;
@@ -1524,10 +1537,10 @@ HTML;
1524 ($exportWhat=='private' && $link['private']!=0) || 1537 ($exportWhat=='private' && $link['private']!=0) ||
1525 ($exportWhat=='public' && $link['private']==0)) 1538 ($exportWhat=='public' && $link['private']==0))
1526 { 1539 {
1527 echo '<DT><A HREF="'.htmlspecialchars($link['url']).'" ADD_DATE="'.linkdate2timestamp($link['linkdate']).'" PRIVATE="'.$link['private'].'"'; 1540 echo '<DT><A HREF="'.$link['url'].'" ADD_DATE="'.linkdate2timestamp($link['linkdate']).'" PRIVATE="'.$link['private'].'"';
1528 if ($link['tags']!='') echo ' TAGS="'.htmlspecialchars(str_replace(' ',',',$link['tags'])).'"'; 1541 if ($link['tags']!='') echo ' TAGS="'.str_replace(' ',',',$link['tags']).'"';
1529 echo '>'.htmlspecialchars($link['title'])."</A>\n"; 1542 echo '>'.$link['title']."</A>\n";
1530 if ($link['description']!='') echo '<DD>'.htmlspecialchars($link['description'])."\n"; 1543 if ($link['description']!='') echo '<DD>'.$link['description']."\n";
1531 } 1544 }
1532 } 1545 }
1533 exit; 1546 exit;
@@ -1540,7 +1553,7 @@ HTML;
1540 if (!isset($_POST['token']) || (!isset($_FILES)) || (isset($_FILES['filetoupload']['size']) && $_FILES['filetoupload']['size']==0)) 1553 if (!isset($_POST['token']) || (!isset($_FILES)) || (isset($_FILES['filetoupload']['size']) && $_FILES['filetoupload']['size']==0))
1541 { 1554 {
1542 $returnurl = ( empty($_SERVER['HTTP_REFERER']) ? '?' : $_SERVER['HTTP_REFERER'] ); 1555 $returnurl = ( empty($_SERVER['HTTP_REFERER']) ? '?' : $_SERVER['HTTP_REFERER'] );
1543 echo '<script>alert("The file you are trying to upload is probably bigger than what this webserver can accept ('.getMaxFileSize().' bytes). Please upload in smaller chunks.");document.location=\''.htmlspecialchars($returnurl).'\';</script>'; 1556 echo '<script>alert("The file you are trying to upload is probably bigger than what this webserver can accept ('.getMaxFileSize().' bytes). Please upload in smaller chunks.");document.location=\''.escape($returnurl).'\';</script>';
1544 exit; 1557 exit;
1545 } 1558 }
1546 if (!tokenOk($_POST['token'])) die('Wrong token.'); 1559 if (!tokenOk($_POST['token'])) die('Wrong token.');
@@ -1663,13 +1676,13 @@ function buildLinkList($PAGE,$LINKSDB)
1663 if (isset($_GET['searchterm'])) // Fulltext search 1676 if (isset($_GET['searchterm'])) // Fulltext search
1664 { 1677 {
1665 $linksToDisplay = $LINKSDB->filterFulltext(trim($_GET['searchterm'])); 1678 $linksToDisplay = $LINKSDB->filterFulltext(trim($_GET['searchterm']));
1666 $search_crits=htmlspecialchars(trim($_GET['searchterm'])); 1679 $search_crits=escape(trim($_GET['searchterm']));
1667 $search_type='fulltext'; 1680 $search_type='fulltext';
1668 } 1681 }
1669 elseif (isset($_GET['searchtags'])) // Search by tag 1682 elseif (isset($_GET['searchtags'])) // Search by tag
1670 { 1683 {
1671 $linksToDisplay = $LINKSDB->filterTags(trim($_GET['searchtags'])); 1684 $linksToDisplay = $LINKSDB->filterTags(trim($_GET['searchtags']));
1672 $search_crits=explode(' ',trim($_GET['searchtags'])); 1685 $search_crits=explode(' ',escape(trim($_GET['searchtags'])));
1673 $search_type='tags'; 1686 $search_type='tags';
1674 } 1687 }
1675 elseif (isset($_SERVER['QUERY_STRING']) && preg_match('/[a-zA-Z0-9-_@]{6}(&.+?)?/',$_SERVER['QUERY_STRING'])) // Detect smallHashes in URL 1688 elseif (isset($_SERVER['QUERY_STRING']) && preg_match('/[a-zA-Z0-9-_@]{6}(&.+?)?/',$_SERVER['QUERY_STRING'])) // Detect smallHashes in URL
@@ -1721,7 +1734,7 @@ function buildLinkList($PAGE,$LINKSDB)
1721 while ($i<$end && $i<count($keys)) 1734 while ($i<$end && $i<count($keys))
1722 { 1735 {
1723 $link = $linksToDisplay[$keys[$i]]; 1736 $link = $linksToDisplay[$keys[$i]];
1724 $link['description']=nl2br(keepMultipleSpaces(text2clickable(htmlspecialchars($link['description'])))); 1737 $link['description']=nl2br(keepMultipleSpaces(text2clickable($link['description'])));
1725 $title=$link['title']; 1738 $title=$link['title'];
1726 $classLi = $i%2!=0 ? '' : 'publicLinkHightLight'; 1739 $classLi = $i%2!=0 ? '' : 'publicLinkHightLight';
1727 $link['class'] = ($link['private']==0 ? $classLi : 'private'); 1740 $link['class'] = ($link['private']==0 ? $classLi : 'private');
@@ -1867,7 +1880,7 @@ function computeThumbnail($url,$href=false)
1867 if ("/talks/" !== substr($path,0,7)) return array(); // This is not a single video URL. 1880 if ("/talks/" !== substr($path,0,7)) return array(); // This is not a single video URL.
1868 } 1881 }
1869 $sign = hash_hmac('sha256', $url, $GLOBALS['salt']); // We use the salt to sign data (it's random, secret, and specific to each installation) 1882 $sign = hash_hmac('sha256', $url, $GLOBALS['salt']); // We use the salt to sign data (it's random, secret, and specific to each installation)
1870 return array('src'=>indexUrl().'?do=genthumbnail&hmac='.htmlspecialchars($sign).'&url='.urlencode($url), 1883 return array('src'=>indexUrl().'?do=genthumbnail&hmac='.$sign.'&url='.urlencode($url),
1871 'href'=>$href,'width'=>'120','style'=>'height:auto;','alt'=>'thumbnail'); 1884 'href'=>$href,'width'=>'120','style'=>'height:auto;','alt'=>'thumbnail');
1872 } 1885 }
1873 1886
@@ -1878,7 +1891,7 @@ function computeThumbnail($url,$href=false)
1878 if ($ext=='jpg' || $ext=='jpeg' || $ext=='png' || $ext=='gif') 1891 if ($ext=='jpg' || $ext=='jpeg' || $ext=='png' || $ext=='gif')
1879 { 1892 {
1880 $sign = hash_hmac('sha256', $url, $GLOBALS['salt']); // We use the salt to sign data (it's random, secret, and specific to each installation) 1893 $sign = hash_hmac('sha256', $url, $GLOBALS['salt']); // We use the salt to sign data (it's random, secret, and specific to each installation)
1881 return array('src'=>indexUrl().'?do=genthumbnail&hmac='.htmlspecialchars($sign).'&url='.urlencode($url), 1894 return array('src'=>indexUrl().'?do=genthumbnail&hmac='.$sign.'&url='.urlencode($url),
1882 'href'=>$href,'width'=>'120','style'=>'height:auto;','alt'=>'thumbnail'); 1895 'href'=>$href,'width'=>'120','style'=>'height:auto;','alt'=>'thumbnail');
1883 } 1896 }
1884 return array(); // No thumbnail. 1897 return array(); // No thumbnail.
@@ -1897,11 +1910,11 @@ function thumbnail($url,$href=false)
1897 $t = computeThumbnail($url,$href); 1910 $t = computeThumbnail($url,$href);
1898 if (count($t)==0) return ''; // Empty array = no thumbnail for this URL. 1911 if (count($t)==0) return ''; // Empty array = no thumbnail for this URL.
1899 1912
1900 $html='<a href="'.htmlspecialchars($t['href']).'"><img src="'.htmlspecialchars($t['src']).'"'; 1913 $html='<a href="'.escape($t['href']).'"><img src="'.escape($t['src']).'"';
1901 if (!empty($t['width'])) $html.=' width="'.htmlspecialchars($t['width']).'"'; 1914 if (!empty($t['width'])) $html.=' width="'.escape($t['width']).'"';
1902 if (!empty($t['height'])) $html.=' height="'.htmlspecialchars($t['height']).'"'; 1915 if (!empty($t['height'])) $html.=' height="'.escape($t['height']).'"';
1903 if (!empty($t['style'])) $html.=' style="'.htmlspecialchars($t['style']).'"'; 1916 if (!empty($t['style'])) $html.=' style="'.escape($t['style']).'"';
1904 if (!empty($t['alt'])) $html.=' alt="'.htmlspecialchars($t['alt']).'"'; 1917 if (!empty($t['alt'])) $html.=' alt="'.escape($t['alt']).'"';
1905 $html.='></a>'; 1918 $html.='></a>';
1906 return $html; 1919 return $html;
1907} 1920}
@@ -1917,23 +1930,23 @@ function lazyThumbnail($url,$href=false)
1917 $t = computeThumbnail($url,$href); 1930 $t = computeThumbnail($url,$href);
1918 if (count($t)==0) return ''; // Empty array = no thumbnail for this URL. 1931 if (count($t)==0) return ''; // Empty array = no thumbnail for this URL.
1919 1932
1920 $html='<a href="'.htmlspecialchars($t['href']).'">'; 1933 $html='<a href="'.escape($t['href']).'">';
1921 1934
1922 // Lazy image 1935 // Lazy image
1923 $html.='<img class="b-lazy" src="#" data-src="'.htmlspecialchars($t['src']).'"'; 1936 $html.='<img class="b-lazy" src="#" data-src="'.escape($t['src']).'"';
1924 1937
1925 if (!empty($t['width'])) $html.=' width="'.htmlspecialchars($t['width']).'"'; 1938 if (!empty($t['width'])) $html.=' width="'.escape($t['width']).'"';
1926 if (!empty($t['height'])) $html.=' height="'.htmlspecialchars($t['height']).'"'; 1939 if (!empty($t['height'])) $html.=' height="'.escape($t['height']).'"';
1927 if (!empty($t['style'])) $html.=' style="'.htmlspecialchars($t['style']).'"'; 1940 if (!empty($t['style'])) $html.=' style="'.escape($t['style']).'"';
1928 if (!empty($t['alt'])) $html.=' alt="'.htmlspecialchars($t['alt']).'"'; 1941 if (!empty($t['alt'])) $html.=' alt="'.escape($t['alt']).'"';
1929 $html.='>'; 1942 $html.='>';
1930 1943
1931 // No-JavaScript fallback. 1944 // No-JavaScript fallback.
1932 $html.='<noscript><img src="'.htmlspecialchars($t['src']).'"'; 1945 $html.='<noscript><img src="'.escape($t['src']).'"';
1933 if (!empty($t['width'])) $html.=' width="'.htmlspecialchars($t['width']).'"'; 1946 if (!empty($t['width'])) $html.=' width="'.escape($t['width']).'"';
1934 if (!empty($t['height'])) $html.=' height="'.htmlspecialchars($t['height']).'"'; 1947 if (!empty($t['height'])) $html.=' height="'.escape($t['height']).'"';
1935 if (!empty($t['style'])) $html.=' style="'.htmlspecialchars($t['style']).'"'; 1948 if (!empty($t['style'])) $html.=' style="'.escape($t['style']).'"';
1936 if (!empty($t['alt'])) $html.=' alt="'.htmlspecialchars($t['alt']).'"'; 1949 if (!empty($t['alt'])) $html.=' alt="'.escape($t['alt']).'"';
1937 $html.='></noscript></a>'; 1950 $html.='></noscript></a>';
1938 1951
1939 return $html; 1952 return $html;
@@ -1983,7 +1996,7 @@ function install()
1983 $GLOBALS['login'] = $_POST['setlogin']; 1996 $GLOBALS['login'] = $_POST['setlogin'];
1984 $GLOBALS['salt'] = sha1(uniqid('',true).'_'.mt_rand()); // Salt renders rainbow-tables attacks useless. 1997 $GLOBALS['salt'] = sha1(uniqid('',true).'_'.mt_rand()); // Salt renders rainbow-tables attacks useless.
1985 $GLOBALS['hash'] = sha1($_POST['setpassword'].$GLOBALS['login'].$GLOBALS['salt']); 1998 $GLOBALS['hash'] = sha1($_POST['setpassword'].$GLOBALS['login'].$GLOBALS['salt']);
1986 $GLOBALS['title'] = (empty($_POST['title']) ? 'Shared links on '.htmlspecialchars(indexUrl()) : $_POST['title'] ); 1999 $GLOBALS['title'] = (empty($_POST['title']) ? 'Shared links on '.escape(indexUrl()) : $_POST['title'] );
1987 $GLOBALS['config']['ENABLE_UPDATECHECK'] = !empty($_POST['updateCheck']); 2000 $GLOBALS['config']['ENABLE_UPDATECHECK'] = !empty($_POST['updateCheck']);
1988 writeConfig(); 2001 writeConfig();
1989 echo '<script>alert("Shaarli is now configured. Please enter your login/password and start shaaring your links!");document.location=\'?do=login\';</script>'; 2002 echo '<script>alert("Shaarli is now configured. Please enter your login/password and start shaaring your links!");document.location=\'?do=login\';</script>';
@@ -2210,7 +2223,7 @@ function genThumbnail()
2210 // This is more complex: we have to perform a HTTP request, then parse the result. 2223 // This is more complex: we have to perform a HTTP request, then parse the result.
2211 // Maybe we should deport this to JavaScript ? Example: http://stackoverflow.com/questions/1361149/get-img-thumbnails-from-vimeo/4285098#4285098 2224 // Maybe we should deport this to JavaScript ? Example: http://stackoverflow.com/questions/1361149/get-img-thumbnails-from-vimeo/4285098#4285098
2212 $vid = substr(parse_url($url,PHP_URL_PATH),1); 2225 $vid = substr(parse_url($url,PHP_URL_PATH),1);
2213 list($httpstatus,$headers,$data) = getHTTP('https://vimeo.com/api/v2/video/'.htmlspecialchars($vid).'.php',5); 2226 list($httpstatus,$headers,$data) = getHTTP('https://vimeo.com/api/v2/video/'.escape($vid).'.php',5);
2214 if (strpos($httpstatus,'200 OK')!==false) 2227 if (strpos($httpstatus,'200 OK')!==false)
2215 { 2228 {
2216 $t = unserialize($data); 2229 $t = unserialize($data);
diff --git a/tpl/daily.html b/tpl/daily.html
index 0f762490..38aa4012 100644
--- a/tpl/daily.html
+++ b/tpl/daily.html
@@ -36,12 +36,12 @@
36 {if="$link.tags"} 36 {if="$link.tags"}
37 <div class="dailyEntryTags"> 37 <div class="dailyEntryTags">
38 {loop="link.taglist"} 38 {loop="link.taglist"}
39 {$value|htmlspecialchars} - 39 {$value} -
40 {/loop} 40 {/loop}
41 </div> 41 </div>
42 {/if} 42 {/if}
43 <div class="dailyEntryTitle"> 43 <div class="dailyEntryTitle">
44 <a href="{$link.url}">{$link.title|htmlspecialchars}</a> 44 <a href="{$link.url}">{$link.title}</a>
45 </div> 45 </div>
46 {if="$link.thumbnail"} 46 {if="$link.thumbnail"}
47 <div class="dailyEntryThumbnail">{$link.thumbnail}</div> 47 <div class="dailyEntryThumbnail">{$link.thumbnail}</div>
diff --git a/tpl/dailyrss.html b/tpl/dailyrss.html
index a9b11e18..1b7ab8e9 100644
--- a/tpl/dailyrss.html
+++ b/tpl/dailyrss.html
@@ -1,7 +1,7 @@
1{loop="links"} 1{loop="links"}
2 <h3><a href="{$value.url}">{$value.title|htmlspecialchars}</a></h3> 2 <h3><a href="{$value.url}">{$value.title}</a></h3>
3 <small>{if="!$GLOBALS['config']['HIDE_TIMESTAMPS']"}{function="strftime('%c', $value.timestamp)"} - {/if}{if="$value.tags"}{$value.tags|htmlspecialchars}{/if}<br> 3 <small>{if="!$GLOBALS['config']['HIDE_TIMESTAMPS']"}{function="strftime('%c', $value.timestamp)"} - {/if}{if="$value.tags"}{$value.tags}{/if}<br>
4 {$value.url|htmlspecialchars}</small><br> 4 {$value.url}</small><br>
5 {if="$value.thumbnail"}{$value.thumbnail}{/if}<br> 5 {if="$value.thumbnail"}{$value.thumbnail}{/if}<br>
6 {if="$value.description"}{$value.formatedDescription}{/if} 6 {if="$value.description"}{$value.formatedDescription}{/if}
7 <br><br><hr> 7 <br><br><hr>
diff --git a/tpl/editlink.html b/tpl/editlink.html
index 0276f088..6737c412 100644
--- a/tpl/editlink.html
+++ b/tpl/editlink.html
@@ -15,11 +15,11 @@
15 <div id="editlinkform"> 15 <div id="editlinkform">
16 <form method="post" name="linkform"> 16 <form method="post" name="linkform">
17 <input type="hidden" name="lf_linkdate" value="{$link.linkdate}"> 17 <input type="hidden" name="lf_linkdate" value="{$link.linkdate}">
18 <label for="lf_url"><i>URL</i></label><br><input type="text" name="lf_url" id="lf_url" value="{$link.url|htmlspecialchars}" class="lf_input"><br> 18 <label for="lf_url"><i>URL</i></label><br><input type="text" name="lf_url" id="lf_url" value="{$link.url}" class="lf_input"><br>
19 <label for="lf_title"><i>Title</i></label><br><input type="text" name="lf_title" id="lf_title" value="{$link.title|htmlspecialchars}" class="lf_input"><br> 19 <label for="lf_title"><i>Title</i></label><br><input type="text" name="lf_title" id="lf_title" value="{$link.title}" class="lf_input"><br>
20 <label for="lf_description"><i>Description</i></label><br><textarea name="lf_description" id="lf_description" rows="4" cols="25">{$link.description|htmlspecialchars}</textarea><br> 20 <label for="lf_description"><i>Description</i></label><br><textarea name="lf_description" id="lf_description" rows="4" cols="25">{$link.description}</textarea><br>
21 <label for="lf_tags"><i>Tags</i></label><br> 21 <label for="lf_tags"><i>Tags</i></label><br>
22 <input type="text" id="lf_tags" name="lf_tags" id="lf_tags" value="{$link.tags|htmlspecialchars}" class="lf_input" 22 <input type="text" id="lf_tags" name="lf_tags" id="lf_tags" value="{$link.tags}" class="lf_input"
23 data-list="{loop="$tags"}{$key}, {/loop}" data-multiple autocomplete="off" ><br> 23 data-list="{loop="$tags"}{$key}, {/loop}" data-multiple autocomplete="off" ><br>
24 {if="($link_is_new && $GLOBALS['privateLinkByDefault']==true) || $link.private == true"} 24 {if="($link_is_new && $GLOBALS['privateLinkByDefault']==true) || $link.private == true"}
25 <input type="checkbox" checked="checked" name="lf_private" id="lf_private"> 25 <input type="checkbox" checked="checked" name="lf_private" id="lf_private">
@@ -32,7 +32,7 @@
32 <input type="submit" value="Cancel" name="cancel_edit" class="bigbutton"> 32 <input type="submit" value="Cancel" name="cancel_edit" class="bigbutton">
33 {if="!$link_is_new"}<input type="submit" value="Delete" name="delete_link" class="bigbutton delete" onClick="return confirmDeleteLink();">{/if} 33 {if="!$link_is_new"}<input type="submit" value="Delete" name="delete_link" class="bigbutton delete" onClick="return confirmDeleteLink();">{/if}
34 <input type="hidden" name="token" value="{$token}"> 34 <input type="hidden" name="token" value="{$token}">
35 {if="$http_referer"}<input type="hidden" name="returnurl" value="{$http_referer|htmlspecialchars}">{/if} 35 {if="$http_referer"}<input type="hidden" name="returnurl" value="{$http_referer}">{/if}
36 </form> 36 </form>
37 </div> 37 </div>
38</div> 38</div>
diff --git a/tpl/import.html b/tpl/import.html
index 9ac3c2f9..6c4f9421 100644
--- a/tpl/import.html
+++ b/tpl/import.html
@@ -5,11 +5,11 @@
5<div id="pageheader"> 5<div id="pageheader">
6 {include="page.header"} 6 {include="page.header"}
7 <div id="uploaddiv"> 7 <div id="uploaddiv">
8 Import Netscape HTML bookmarks (as exported from Firefox/Chrome/Opera/Delicious/Diigo...) (Max: {$maxfilesize|htmlspecialchars} bytes). 8 Import Netscape HTML bookmarks (as exported from Firefox/Chrome/Opera/Delicious/Diigo...) (Max: {$maxfilesize} bytes).
9 <form method="POST" action="?do=upload" enctype="multipart/form-data" name="uploadform" id="uploadform"> 9 <form method="POST" action="?do=upload" enctype="multipart/form-data" name="uploadform" id="uploadform">
10 <input type="hidden" name="token" value="{$token}"> 10 <input type="hidden" name="token" value="{$token}">
11 <input type="file" name="filetoupload"> 11 <input type="file" name="filetoupload">
12 <input type="hidden" name="MAX_FILE_SIZE" value="{$maxfilesize|htmlspecialchars}"> 12 <input type="hidden" name="MAX_FILE_SIZE" value="{$maxfilesize}">
13 <input type="submit" name="import_file" value="Import" class="bigbutton"><br> 13 <input type="submit" name="import_file" value="Import" class="bigbutton"><br>
14 <input type="checkbox" name="private" id="private"><label for="private">&nbsp;Import all links as private</label><br> 14 <input type="checkbox" name="private" id="private"><label for="private">&nbsp;Import all links as private</label><br>
15 <input type="checkbox" name="overwrite" id="overwrite"><label for="overwrite">&nbsp;Overwrite existing links</label> 15 <input type="checkbox" name="overwrite" id="overwrite"><label for="overwrite">&nbsp;Overwrite existing links</label>
diff --git a/tpl/linklist.html b/tpl/linklist.html
index a59a9e51..daf87060 100644
--- a/tpl/linklist.html
+++ b/tpl/linklist.html
@@ -33,7 +33,7 @@
33 {if="$search_type=='tags'"} 33 {if="$search_type=='tags'"}
34 <div id="searchcriteria">{$result_count} results for tags <i> 34 <div id="searchcriteria">{$result_count} results for tags <i>
35 {loop="search_crits"} 35 {loop="search_crits"}
36 <span class="linktag" title="Remove tag"><a href="?removetag={$value|htmlspecialchars}">{$value|htmlspecialchars} <span class="remove">x</span></a></span> 36 <span class="linktag" title="Remove tag"><a href="?removetag={$value}">{$value} <span class="remove">x</span></a></span>
37 {/loop}</i></div> 37 {/loop}</i></div>
38 {/if} 38 {/if}
39 {/if} 39 {/if}
@@ -50,7 +50,7 @@
50 <input type="hidden" name="token" value="{$token}"><input type="hidden" name="delete_link"><input type="image" alt="Delete" src="images/delete_icon.png#" title="Delete" class="button_delete" onClick="return confirmDeleteLink();"></form> 50 <input type="hidden" name="token" value="{$token}"><input type="hidden" name="delete_link"><input type="image" alt="Delete" src="images/delete_icon.png#" title="Delete" class="button_delete" onClick="return confirmDeleteLink();"></form>
51 </div> 51 </div>
52 {/if} 52 {/if}
53 <span class="linktitle"><a href="{$redirector}{$value.url|htmlspecialchars}">{$value.title|htmlspecialchars}</a></span> 53 <span class="linktitle"><a href="{$redirector}{$value.url}">{$value.title}</a></span>
54 <br> 54 <br>
55 {if="$value.description"}<div class="linkdescription">{$value.description}</div>{/if} 55 {if="$value.description"}<div class="linkdescription">{$value.description}</div>{/if}
56 {if="!$GLOBALS['config']['HIDE_TIMESTAMPS'] || isLoggedIn()"} 56 {if="!$GLOBALS['config']['HIDE_TIMESTAMPS'] || isLoggedIn()"}
@@ -59,15 +59,15 @@
59 <span class="linkdate" title="Short link here"><a href="?{$value.linkdate|smallHash}">permalink</a> - </span> 59 <span class="linkdate" title="Short link here"><a href="?{$value.linkdate|smallHash}">permalink</a> - </span>
60 {/if} 60 {/if}
61 {if="$GLOBALS['config']['ARCHIVE_ORG']"} 61 {if="$GLOBALS['config']['ARCHIVE_ORG']"}
62 <span class="linkarchive"><a href="https://web.archive.org/web/{$value.url|htmlspecialchars}">archive</a> - </span> 62 <span class="linkarchive"><a href="https://web.archive.org/web/{$value.url}">archive</a> - </span>
63 {/if} 63 {/if}
64 <div class="linkqrcode"><a href="http://qrfree.kaywa.com/?l=1&amp;s=8&amp;d={$scripturl|urlencode}%3F{$value.linkdate|smallHash}" 64 <div class="linkqrcode"><a href="http://qrfree.kaywa.com/?l=1&amp;s=8&amp;d={$scripturl|urlencode}%3F{$value.linkdate|smallHash}"
65 onclick="return showQrCode(this);" class="qrcode" data-permalink="{$scripturl}?{$value.linkdate|smallHash}"> 65 onclick="return showQrCode(this);" class="qrcode" data-permalink="{$scripturl}?{$value.linkdate|smallHash}">
66 <img src="images/qrcode.png#" alt="QR-Code" title="{function="strftime('%c', $value.timestamp)"}"></a></div> - 66 <img src="images/qrcode.png#" alt="QR-Code" title="{function="strftime('%c', $value.timestamp)"}"></a></div> -
67 <a href="{$value.url|htmlspecialchars}"><span class="linkurl" title="Short link">{$value.url|htmlspecialchars}</span></a><br> 67 <a href="{$value.url}"><span class="linkurl" title="Short link">{$value.url}</span></a><br>
68 {if="$value.tags"} 68 {if="$value.tags"}
69 <div class="linktaglist"> 69 <div class="linktaglist">
70 {loop="value.taglist"}<span class="linktag" title="Add tag"><a href="?addtag={$value|urlencode}">{$value|htmlspecialchars}</a></span> {/loop} 70 {loop="value.taglist"}<span class="linktag" title="Add tag"><a href="?addtag={$value|urlencode}">{$value}</a></span> {/loop}
71 </div> 71 </div>
72 {/if} 72 {/if}
73 </div> 73 </div>
diff --git a/tpl/loginform.html b/tpl/loginform.html
index 91b948dd..678375fd 100644
--- a/tpl/loginform.html
+++ b/tpl/loginform.html
@@ -17,7 +17,7 @@
17 <input type="checkbox" name="longlastingsession" id="longlastingsession" tabindex="3"> 17 <input type="checkbox" name="longlastingsession" id="longlastingsession" tabindex="3">
18 Stay signed in (Do not check on public computers)</label> 18 Stay signed in (Do not check on public computers)</label>
19 <input type="hidden" name="token" value="{$token}"> 19 <input type="hidden" name="token" value="{$token}">
20 {if="$returnurl"}<input type="hidden" name="returnurl" value="{$returnurl|htmlspecialchars}">{/if} 20 {if="$returnurl"}<input type="hidden" name="returnurl" value="{$returnurl}">{/if}
21 </form> 21 </form>
22{/if} 22{/if}
23 </div> 23 </div>
diff --git a/tpl/page.footer.html b/tpl/page.footer.html
index 42c621b9..8143669d 100644
--- a/tpl/page.footer.html
+++ b/tpl/page.footer.html
@@ -2,7 +2,7 @@
2 <b><a href="https://github.com/shaarli/Shaarli">Shaarli</a></b> - The personal, minimalist, super-fast, no-database delicious clone by the <a href="https://github.com/shaarli/Shaarli">Shaarli</a> community - <a href="doc/Home.html">Help/documentation</a> 2 <b><a href="https://github.com/shaarli/Shaarli">Shaarli</a></b> - The personal, minimalist, super-fast, no-database delicious clone by the <a href="https://github.com/shaarli/Shaarli">Shaarli</a> community - <a href="doc/Home.html">Help/documentation</a>
3</div> 3</div>
4{if="$newversion"} 4{if="$newversion"}
5 <div id="newversion"><span id="version_id">&#x25CF;</span> Shaarli {$newversion|htmlspecialchars} is <a href="https://github.com/shaarli/Shaarli/releases">available</a>.</div> 5 <div id="newversion"><span id="version_id">&#x25CF;</span> Shaarli {$newversion} is <a href="https://github.com/shaarli/Shaarli/releases">available</a>.</div>
6{/if} 6{/if}
7{if="isLoggedIn()"} 7{if="isLoggedIn()"}
8<script>function confirmDeleteLink() { var agree=confirm("Are you sure you want to delete this link ?"); if (agree) return true ; else return false ; }</script> 8<script>function confirmDeleteLink() { var agree=confirm("Are you sure you want to delete this link ?"); if (agree) return true ; else return false ; }</script>
diff --git a/tpl/page.header.html b/tpl/page.header.html
index 0fd65e40..2d186aa2 100644
--- a/tpl/page.header.html
+++ b/tpl/page.header.html
@@ -8,7 +8,7 @@
8<div id="menu"> 8<div id="menu">
9 <ul> 9 <ul>
10 <li><span id="shaarli_title"> 10 <li><span id="shaarli_title">
11 <a href="{$titleLink}">{$shaarlititle|htmlspecialchars}</a> 11 <a href="{$titleLink}">{$shaarlititle}</a>
12 </span> 12 </span>
13 </li> 13 </li>
14 14
diff --git a/tpl/picwall.html b/tpl/picwall.html
index e686afe1..9a2a4715 100644
--- a/tpl/picwall.html
+++ b/tpl/picwall.html
@@ -9,7 +9,7 @@
9 <div id="picwall_container"> 9 <div id="picwall_container">
10 {loop="linksToDisplay"} 10 {loop="linksToDisplay"}
11 <div class="picwall_pictureframe"> 11 <div class="picwall_pictureframe">
12 {$value.thumbnail}<a href="{$value.url}"><span class="info">{$value.title|htmlspecialchars}</span></a> 12 {$value.thumbnail}<a href="{$value.url}"><span class="info">{$value.title}</span></a>
13 </div> 13 </div>
14 {/loop} 14 {/loop}
15 </div> 15 </div>
diff --git a/tpl/tagcloud.html b/tpl/tagcloud.html
index 97205e2b..092f2294 100644
--- a/tpl/tagcloud.html
+++ b/tpl/tagcloud.html
@@ -6,7 +6,7 @@
6<div class="center"> 6<div class="center">
7 <div id="cloudtag"> 7 <div id="cloudtag">
8 {loop="tags"} 8 {loop="tags"}
9 <span class="count">{$value.count}</span><a href="?searchtags={$key|urlencode}" style="font-size:{$value.size}pt;">{$key|htmlspecialchars}</a> 9 <span class="count">{$value.count}</span><a href="?searchtags={$key|urlencode}" style="font-size:{$value.size}pt;">{$key}</a>
10 {/loop} 10 {/loop}
11 </div> 11 </div>
12</div> 12</div>