Working on shaarli/Shaarli#224

I reviewed character escaping everywhere with the following ideas: * use a single common function to escape user data: `escape` using `htmlspecialchars`. * sanitize fields in `index.php` after reading them from datastore and before sending them to templates. It means no escaping function in Twig templates. 2 reasons: * it reduces risks of security issue for future user made templates * more readable templates * sanitize user configuration fields after loading them.
author: ArthurHoaro <arthur@hoa.ro> 2015-06-11 13:53:27 +0200
committer: ArthurHoaro <arthur@hoa.ro> 2015-06-23 16:35:36 +0200
commit: 5f85fcd863fe261921953ea3bd1742f3e1b7cf68 (patch)
tree: 5615922c1c696ec04cc60625a8d401b2b297a462 /tpl/dailyrss.html
parent: 0923a2bc1b097bf1def882722db489d83d95c423 (diff)
download: Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.gz
Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.zst
Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/tpl/dailyrss.html b/tpl/dailyrss.html
index a9b11e18..1b7ab8e9 100644
--- a/tpl/dailyrss.html
+++ b/tpl/dailyrss.html
@@ -1,7 +1,7 @@
 {loop="links"}
-        <h3><a href="{$value.url}">{$value.title|htmlspecialchars}</a></h3>
+        <h3><a href="{$value.url}">{$value.title}</a></h3>
-        <small>{if="!$GLOBALS['config']['HIDE_TIMESTAMPS']"}{function="strftime('%c', $value.timestamp)"} - {/if}{if="$value.tags"}{$value.tags|htmlspecialchars}{/if}<br>
+        <small>{if="!$GLOBALS['config']['HIDE_TIMESTAMPS']"}{function="strftime('%c', $value.timestamp)"} - {/if}{if="$value.tags"}{$value.tags}{/if}<br>
-        {$value.url|htmlspecialchars}</small><br>
+        {$value.url}</small><br>
        {if="$value.thumbnail"}{$value.thumbnail}{/if}<br>
        {if="$value.description"}{$value.formatedDescription}{/if}
        <br><br><hr>
author	ArthurHoaro <arthur@hoa.ro>	2015-06-11 13:53:27 +0200
committer	ArthurHoaro <arthur@hoa.ro>	2015-06-23 16:35:36 +0200
commit	5f85fcd863fe261921953ea3bd1742f3e1b7cf68 (patch)
tree	5615922c1c696ec04cc60625a8d401b2b297a462 /tpl/dailyrss.html
parent	0923a2bc1b097bf1def882722db489d83d95c423 (diff)
download	Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.gz Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.zst Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.zip

diff --git a/tpl/dailyrss.html b/tpl/dailyrss.html index a9b11e18..1b7ab8e9 100644 --- a/tpl/dailyrss.html +++ b/tpl/dailyrss.html
@@ -1,7 +1,7 @@
1	{loop="links"}	1	{loop="links"}
2	<h3><a href="{$value.url}">{$value.title\|htmlspecialchars}</a></h3>	2	<h3><a href="{$value.url}">{$value.title}</a></h3>
3	<small>{if="!$GLOBALS['config']['HIDE_TIMESTAMPS']"}{function="strftime('%c', $value.timestamp)"} - {/if}{if="$value.tags"}{$value.tags\|htmlspecialchars}{/if}<br>	3	<small>{if="!$GLOBALS['config']['HIDE_TIMESTAMPS']"}{function="strftime('%c', $value.timestamp)"} - {/if}{if="$value.tags"}{$value.tags}{/if}<br>
4	{$value.url\|htmlspecialchars}</small><br>	4	{$value.url}</small><br>
5	{if="$value.thumbnail"}{$value.thumbnail}{/if}<br>	5	{if="$value.thumbnail"}{$value.thumbnail}{/if}<br>
6	{if="$value.description"}{$value.formatedDescription}{/if}	6	{if="$value.description"}{$value.formatedDescription}{/if}
7	<br><br><hr>	7	<br><br><hr>