Working on shaarli/Shaarli#224

I reviewed character escaping everywhere with the following ideas: * use a single common function to escape user data: `escape` using `htmlspecialchars`. * sanitize fields in `index.php` after reading them from datastore and before sending them to templates. It means no escaping function in Twig templates. 2 reasons: * it reduces risks of security issue for future user made templates * more readable templates * sanitize user configuration fields after loading them.
author: ArthurHoaro <arthur@hoa.ro> 2015-06-11 13:53:27 +0200
committer: ArthurHoaro <arthur@hoa.ro> 2015-06-23 16:35:36 +0200
commit: 5f85fcd863fe261921953ea3bd1742f3e1b7cf68 (patch)
tree: 5615922c1c696ec04cc60625a8d401b2b297a462 /tpl/editlink.html
parent: 0923a2bc1b097bf1def882722db489d83d95c423 (diff)
download: Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.gz
Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.zst
Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.zip
1 files changed, 5 insertions, 5 deletions
diff --git a/tpl/editlink.html b/tpl/editlink.html
index 0276f088..6737c412 100644
--- a/tpl/editlink.html
+++ b/tpl/editlink.html
@@ -15,11 +15,11 @@
        <div id="editlinkform">
            <form method="post" name="linkform">
                <input type="hidden" name="lf_linkdate" value="{$link.linkdate}">
-                <label for="lf_url"><i>URL</i></label><br><input type="text" name="lf_url" id="lf_url" value="{$link.url|htmlspecialchars}" class="lf_input"><br>
+                <label for="lf_url"><i>URL</i></label><br><input type="text" name="lf_url" id="lf_url" value="{$link.url}" class="lf_input"><br>
-            <label for="lf_title"><i>Title</i></label><br><input type="text" name="lf_title" id="lf_title" value="{$link.title|htmlspecialchars}" class="lf_input"><br>
+            <label for="lf_title"><i>Title</i></label><br><input type="text" name="lf_title" id="lf_title" value="{$link.title}" class="lf_input"><br>
-            <label for="lf_description"><i>Description</i></label><br><textarea name="lf_description" id="lf_description" rows="4" cols="25">{$link.description|htmlspecialchars}</textarea><br>
+            <label for="lf_description"><i>Description</i></label><br><textarea name="lf_description" id="lf_description" rows="4" cols="25">{$link.description}</textarea><br>
            <label for="lf_tags"><i>Tags</i></label><br>
-            <input type="text" id="lf_tags" name="lf_tags" id="lf_tags" value="{$link.tags|htmlspecialchars}" class="lf_input"
+            <input type="text" id="lf_tags" name="lf_tags" id="lf_tags" value="{$link.tags}" class="lf_input"
                data-list="{loop="$tags"}{$key}, {/loop}" data-multiple autocomplete="off" ><br>
                {if="($link_is_new && $GLOBALS['privateLinkByDefault']==true) || $link.private == true"}
            <input type="checkbox" checked="checked" name="lf_private" id="lf_private">
@@ -32,7 +32,7 @@
                <input type="submit" value="Cancel" name="cancel_edit" class="bigbutton">
                {if="!$link_is_new"}<input type="submit" value="Delete" name="delete_link" class="bigbutton delete" onClick="return confirmDeleteLink();">{/if}
                <input type="hidden" name="token" value="{$token}">
-                {if="$http_referer"}<input type="hidden" name="returnurl" value="{$http_referer|htmlspecialchars}">{/if}
+                {if="$http_referer"}<input type="hidden" name="returnurl" value="{$http_referer}">{/if}
            </form>
        </div>
 </div>
author	ArthurHoaro <arthur@hoa.ro>	2015-06-11 13:53:27 +0200
committer	ArthurHoaro <arthur@hoa.ro>	2015-06-23 16:35:36 +0200
commit	5f85fcd863fe261921953ea3bd1742f3e1b7cf68 (patch)
tree	5615922c1c696ec04cc60625a8d401b2b297a462 /tpl/editlink.html
parent	0923a2bc1b097bf1def882722db489d83d95c423 (diff)
download	Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.gz Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.zst Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.zip

diff --git a/tpl/editlink.html b/tpl/editlink.html index 0276f088..6737c412 100644 --- a/tpl/editlink.html +++ b/tpl/editlink.html
@@ -15,11 +15,11 @@
15	<div id="editlinkform">	15	<div id="editlinkform">
16	<form method="post" name="linkform">	16	<form method="post" name="linkform">
17	<input type="hidden" name="lf_linkdate" value="{$link.linkdate}">	17	<input type="hidden" name="lf_linkdate" value="{$link.linkdate}">
18	<label for="lf_url"><i>URL</i></label><br><input type="text" name="lf_url" id="lf_url" value="{$link.url\|htmlspecialchars}" class="lf_input"><br>	18	<label for="lf_url"><i>URL</i></label><br><input type="text" name="lf_url" id="lf_url" value="{$link.url}" class="lf_input"><br>
19	<label for="lf_title"><i>Title</i></label><br><input type="text" name="lf_title" id="lf_title" value="{$link.title\|htmlspecialchars}" class="lf_input"><br>	19	<label for="lf_title"><i>Title</i></label><br><input type="text" name="lf_title" id="lf_title" value="{$link.title}" class="lf_input"><br>
20	<label for="lf_description"><i>Description</i></label><br><textarea name="lf_description" id="lf_description" rows="4" cols="25">{$link.description\|htmlspecialchars}</textarea><br>	20	<label for="lf_description"><i>Description</i></label><br><textarea name="lf_description" id="lf_description" rows="4" cols="25">{$link.description}</textarea><br>
21	<label for="lf_tags"><i>Tags</i></label><br>	21	<label for="lf_tags"><i>Tags</i></label><br>
22	<input type="text" id="lf_tags" name="lf_tags" id="lf_tags" value="{$link.tags\|htmlspecialchars}" class="lf_input"	22	<input type="text" id="lf_tags" name="lf_tags" id="lf_tags" value="{$link.tags}" class="lf_input"
23	data-list="{loop="$tags"}{$key}, {/loop}" data-multiple autocomplete="off" ><br>	23	data-list="{loop="$tags"}{$key}, {/loop}" data-multiple autocomplete="off" ><br>
24	{if="($link_is_new && $GLOBALS['privateLinkByDefault']==true) \|\| $link.private == true"}	24	{if="($link_is_new && $GLOBALS['privateLinkByDefault']==true) \|\| $link.private == true"}
25	<input type="checkbox" checked="checked" name="lf_private" id="lf_private">	25	<input type="checkbox" checked="checked" name="lf_private" id="lf_private">
@@ -32,7 +32,7 @@
32	<input type="submit" value="Cancel" name="cancel_edit" class="bigbutton">	32	<input type="submit" value="Cancel" name="cancel_edit" class="bigbutton">
33	{if="!$link_is_new"}<input type="submit" value="Delete" name="delete_link" class="bigbutton delete" onClick="return confirmDeleteLink();">{/if}	33	{if="!$link_is_new"}<input type="submit" value="Delete" name="delete_link" class="bigbutton delete" onClick="return confirmDeleteLink();">{/if}
34	<input type="hidden" name="token" value="{$token}">	34	<input type="hidden" name="token" value="{$token}">
35	{if="$http_referer"}<input type="hidden" name="returnurl" value="{$http_referer\|htmlspecialchars}">{/if}	35	{if="$http_referer"}<input type="hidden" name="returnurl" value="{$http_referer}">{/if}
36	</form>	36	</form>
37	</div>	37	</div>
38	</div>	38	</div>