diff options
author | ArthurHoaro <arthur@hoa.ro> | 2015-06-11 13:53:27 +0200 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2015-06-23 16:35:36 +0200 |
commit | 5f85fcd863fe261921953ea3bd1742f3e1b7cf68 (patch) | |
tree | 5615922c1c696ec04cc60625a8d401b2b297a462 /application | |
parent | 0923a2bc1b097bf1def882722db489d83d95c423 (diff) | |
download | Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.gz Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.zst Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.zip |
Working on shaarli/Shaarli#224
I reviewed character escaping everywhere with the following ideas:
* use a single common function to escape user data: `escape` using `htmlspecialchars`.
* sanitize fields in `index.php` after reading them from datastore and before sending them to templates.
It means no escaping function in Twig templates.
2 reasons:
* it reduces risks of security issue for future user made templates
* more readable templates
* sanitize user configuration fields after loading them.
Diffstat (limited to 'application')
-rw-r--r-- | application/LinkDB.php | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/application/LinkDB.php b/application/LinkDB.php index 137f42e5..0f7c5bfe 100644 --- a/application/LinkDB.php +++ b/application/LinkDB.php | |||
@@ -245,6 +245,11 @@ class LinkDB implements Iterator, Countable, ArrayAccess | |||
245 | foreach ($this->links as $link) { | 245 | foreach ($this->links as $link) { |
246 | $this->urls[$link['url']] = $link['linkdate']; | 246 | $this->urls[$link['url']] = $link['linkdate']; |
247 | } | 247 | } |
248 | |||
249 | // Escape links data | ||
250 | foreach($this->links as &$link) { | ||
251 | sanitizeLink($link); | ||
252 | } | ||
248 | } | 253 | } |
249 | 254 | ||
250 | /** | 255 | /** |