aboutsummaryrefslogtreecommitdiffhomepage
path: root/application
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2015-06-11 13:53:27 +0200
committerArthurHoaro <arthur@hoa.ro>2015-06-23 16:35:36 +0200
commit5f85fcd863fe261921953ea3bd1742f3e1b7cf68 (patch)
tree5615922c1c696ec04cc60625a8d401b2b297a462 /application
parent0923a2bc1b097bf1def882722db489d83d95c423 (diff)
downloadShaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.gz
Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.zst
Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.zip
Working on shaarli/Shaarli#224
I reviewed character escaping everywhere with the following ideas: * use a single common function to escape user data: `escape` using `htmlspecialchars`. * sanitize fields in `index.php` after reading them from datastore and before sending them to templates. It means no escaping function in Twig templates. 2 reasons: * it reduces risks of security issue for future user made templates * more readable templates * sanitize user configuration fields after loading them.
Diffstat (limited to 'application')
-rw-r--r--application/LinkDB.php5
1 files changed, 5 insertions, 0 deletions
diff --git a/application/LinkDB.php b/application/LinkDB.php
index 137f42e5..0f7c5bfe 100644
--- a/application/LinkDB.php
+++ b/application/LinkDB.php
@@ -245,6 +245,11 @@ class LinkDB implements Iterator, Countable, ArrayAccess
245 foreach ($this->links as $link) { 245 foreach ($this->links as $link) {
246 $this->urls[$link['url']] = $link['linkdate']; 246 $this->urls[$link['url']] = $link['linkdate'];
247 } 247 }
248
249 // Escape links data
250 foreach($this->links as &$link) {
251 sanitizeLink($link);
252 }
248 } 253 }
249 254
250 /** 255 /**