Working on shaarli/Shaarli#224

I reviewed character escaping everywhere with the following ideas: * use a single common function to escape user data: `escape` using `htmlspecialchars`. * sanitize fields in `index.php` after reading them from datastore and before sending them to templates. It means no escaping function in Twig templates. 2 reasons: * it reduces risks of security issue for future user made templates * more readable templates * sanitize user configuration fields after loading them.
author: ArthurHoaro <arthur@hoa.ro> 2015-06-11 13:53:27 +0200
committer: ArthurHoaro <arthur@hoa.ro> 2015-06-23 16:35:36 +0200
commit: 5f85fcd863fe261921953ea3bd1742f3e1b7cf68 (patch)
tree: 5615922c1c696ec04cc60625a8d401b2b297a462 /tpl/daily.html
parent: 0923a2bc1b097bf1def882722db489d83d95c423 (diff)
download: Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.gz
Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.zst
Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/tpl/daily.html b/tpl/daily.html
index 0f762490..38aa4012 100644
--- a/tpl/daily.html
+++ b/tpl/daily.html
@@ -36,12 +36,12 @@
                        {if="$link.tags"}
                            <div class="dailyEntryTags">
                                {loop="link.taglist"}
-                                    {$value|htmlspecialchars} -
+                                    {$value} -
                                {/loop}
                            </div>
                        {/if}
                        <div class="dailyEntryTitle">
-                            <a href="{$link.url}">{$link.title|htmlspecialchars}</a>
+                            <a href="{$link.url}">{$link.title}</a>
                        </div>
                        {if="$link.thumbnail"}
                            <div class="dailyEntryThumbnail">{$link.thumbnail}</div>
author	ArthurHoaro <arthur@hoa.ro>	2015-06-11 13:53:27 +0200
committer	ArthurHoaro <arthur@hoa.ro>	2015-06-23 16:35:36 +0200
commit	5f85fcd863fe261921953ea3bd1742f3e1b7cf68 (patch)
tree	5615922c1c696ec04cc60625a8d401b2b297a462 /tpl/daily.html
parent	0923a2bc1b097bf1def882722db489d83d95c423 (diff)
download	Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.gz Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.zst Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.zip

diff --git a/tpl/daily.html b/tpl/daily.html index 0f762490..38aa4012 100644 --- a/tpl/daily.html +++ b/tpl/daily.html
@@ -36,12 +36,12 @@
36	{if="$link.tags"}	36	{if="$link.tags"}
37	<div class="dailyEntryTags">	37	<div class="dailyEntryTags">
38	{loop="link.taglist"}	38	{loop="link.taglist"}
39	{$value\|htmlspecialchars} -	39	{$value} -
40	{/loop}	40	{/loop}
41	</div>	41	</div>
42	{/if}	42	{/if}
43	<div class="dailyEntryTitle">	43	<div class="dailyEntryTitle">
44	<a href="{$link.url}">{$link.title\|htmlspecialchars}</a>	44	<a href="{$link.url}">{$link.title}</a>
45	</div>	45	</div>
46	{if="$link.thumbnail"}	46	{if="$link.thumbnail"}
47	<div class="dailyEntryThumbnail">{$link.thumbnail}</div>	47	<div class="dailyEntryThumbnail">{$link.thumbnail}</div>