Security: fix multiple XSS vulnerabilities + fix search tags with special chars

XSS vulnerabilities fixed in editlink, linklist, tag.cloud and tag.list. Also fixed tag search with special characters: urlencode function needs to be applied on raw data, before espaping, otherwise the rendered URL is wrong.
author: ArthurHoaro <arthur@hoa.ro> 2020-10-06 17:30:18 +0200
committer: ArthurHoaro <arthur@hoa.ro> 2020-10-06 17:30:18 +0200
commit: 72fbbcd6794facea2cf06d9742359d190257b00f (patch)
tree: a4d6f446ec861f9a7591edb31f322e2a846b2bac /tpl/default/linklist.html
parent: df25b28dcd3cde54d42c18a55a810daa82bf5727 (diff)
download: Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.gz
Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.zst
Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/tpl/default/linklist.html b/tpl/default/linklist.html
index 2475f5fd..b08773d8 100644
--- a/tpl/default/linklist.html
+++ b/tpl/default/linklist.html
@@ -94,7 +94,7 @@
          {'tagged'|t}
          {loop="$exploded_tags"}
              <span class="label label-tag" title="{'Remove tag'|t}">
-                <a href="{$base_path}/remove-tag/{function="urlencode($value)"}" aria-label="{'Remove tag'|t}">
+                <a href="{$base_path}/remove-tag/{function="$search_tags_url.$key1"}" aria-label="{'Remove tag'|t}">
                  {$value}<span class="remove"><i class="fa fa-times" aria-hidden="true"></i></span>
                </a>
              </span>
@@ -183,7 +183,7 @@
                {$tag_counter=count($value.taglist)}
                {loop="value.taglist"}
                  <span class="label label-tag" title="{$strAddTag}">
-                    <a href="{$base_path}/add-tag/{$value|urlencode}">{$value}</a>
+                    <a href="{$base_path}/add-tag/{$value1.urlencoded_taglist.$key2}">{$value}</a>
                  </span>
                  {if="$tag_counter - 1 != $counter"}&middot;{/if}
                {/loop}
author	ArthurHoaro <arthur@hoa.ro>	2020-10-06 17:30:18 +0200
committer	ArthurHoaro <arthur@hoa.ro>	2020-10-06 17:30:18 +0200
commit	72fbbcd6794facea2cf06d9742359d190257b00f (patch)
tree	a4d6f446ec861f9a7591edb31f322e2a846b2bac /tpl/default/linklist.html
parent	df25b28dcd3cde54d42c18a55a810daa82bf5727 (diff)
download	Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.gz Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.zst Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.zip

diff --git a/tpl/default/linklist.html b/tpl/default/linklist.html index 2475f5fd..b08773d8 100644 --- a/tpl/default/linklist.html +++ b/tpl/default/linklist.html
@@ -94,7 +94,7 @@
94	{'tagged'\|t}	94	{'tagged'\|t}
95	{loop="$exploded_tags"}	95	{loop="$exploded_tags"}
96	<span class="label label-tag" title="{'Remove tag'\|t}">	96	<span class="label label-tag" title="{'Remove tag'\|t}">
97	<a href="{$base_path}/remove-tag/{function="urlencode($value)"}" aria-label="{'Remove tag'\|t}">	97	<a href="{$base_path}/remove-tag/{function="$search_tags_url.$key1"}" aria-label="{'Remove tag'\|t}">
98	{$value}<span class="remove"><i class="fa fa-times" aria-hidden="true"></i></span>	98	{$value}<span class="remove"><i class="fa fa-times" aria-hidden="true"></i></span>
99	</a>	99	</a>
100	</span>	100	</span>
@@ -183,7 +183,7 @@
183	{$tag_counter=count($value.taglist)}	183	{$tag_counter=count($value.taglist)}
184	{loop="value.taglist"}	184	{loop="value.taglist"}
185	<span class="label label-tag" title="{$strAddTag}">	185	<span class="label label-tag" title="{$strAddTag}">
186	<a href="{$base_path}/add-tag/{$value\|urlencode}">{$value}</a>	186	<a href="{$base_path}/add-tag/{$value1.urlencoded_taglist.$key2}">{$value}</a>
187	</span>	187	</span>
188	{if="$tag_counter - 1 != $counter"}·{/if}	188	{if="$tag_counter - 1 != $counter"}·{/if}
189	{/loop}	189	{/loop}