diff options
author | ArthurHoaro <arthur@hoa.ro> | 2015-06-11 13:53:27 +0200 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2015-06-23 16:35:36 +0200 |
commit | 5f85fcd863fe261921953ea3bd1742f3e1b7cf68 (patch) | |
tree | 5615922c1c696ec04cc60625a8d401b2b297a462 /tpl/editlink.html | |
parent | 0923a2bc1b097bf1def882722db489d83d95c423 (diff) | |
download | Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.gz Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.zst Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.zip |
Working on shaarli/Shaarli#224
I reviewed character escaping everywhere with the following ideas:
* use a single common function to escape user data: `escape` using `htmlspecialchars`.
* sanitize fields in `index.php` after reading them from datastore and before sending them to templates.
It means no escaping function in Twig templates.
2 reasons:
* it reduces risks of security issue for future user made templates
* more readable templates
* sanitize user configuration fields after loading them.
Diffstat (limited to 'tpl/editlink.html')
-rw-r--r-- | tpl/editlink.html | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/tpl/editlink.html b/tpl/editlink.html index 0276f088..6737c412 100644 --- a/tpl/editlink.html +++ b/tpl/editlink.html | |||
@@ -15,11 +15,11 @@ | |||
15 | <div id="editlinkform"> | 15 | <div id="editlinkform"> |
16 | <form method="post" name="linkform"> | 16 | <form method="post" name="linkform"> |
17 | <input type="hidden" name="lf_linkdate" value="{$link.linkdate}"> | 17 | <input type="hidden" name="lf_linkdate" value="{$link.linkdate}"> |
18 | <label for="lf_url"><i>URL</i></label><br><input type="text" name="lf_url" id="lf_url" value="{$link.url|htmlspecialchars}" class="lf_input"><br> | 18 | <label for="lf_url"><i>URL</i></label><br><input type="text" name="lf_url" id="lf_url" value="{$link.url}" class="lf_input"><br> |
19 | <label for="lf_title"><i>Title</i></label><br><input type="text" name="lf_title" id="lf_title" value="{$link.title|htmlspecialchars}" class="lf_input"><br> | 19 | <label for="lf_title"><i>Title</i></label><br><input type="text" name="lf_title" id="lf_title" value="{$link.title}" class="lf_input"><br> |
20 | <label for="lf_description"><i>Description</i></label><br><textarea name="lf_description" id="lf_description" rows="4" cols="25">{$link.description|htmlspecialchars}</textarea><br> | 20 | <label for="lf_description"><i>Description</i></label><br><textarea name="lf_description" id="lf_description" rows="4" cols="25">{$link.description}</textarea><br> |
21 | <label for="lf_tags"><i>Tags</i></label><br> | 21 | <label for="lf_tags"><i>Tags</i></label><br> |
22 | <input type="text" id="lf_tags" name="lf_tags" id="lf_tags" value="{$link.tags|htmlspecialchars}" class="lf_input" | 22 | <input type="text" id="lf_tags" name="lf_tags" id="lf_tags" value="{$link.tags}" class="lf_input" |
23 | data-list="{loop="$tags"}{$key}, {/loop}" data-multiple autocomplete="off" ><br> | 23 | data-list="{loop="$tags"}{$key}, {/loop}" data-multiple autocomplete="off" ><br> |
24 | {if="($link_is_new && $GLOBALS['privateLinkByDefault']==true) || $link.private == true"} | 24 | {if="($link_is_new && $GLOBALS['privateLinkByDefault']==true) || $link.private == true"} |
25 | <input type="checkbox" checked="checked" name="lf_private" id="lf_private"> | 25 | <input type="checkbox" checked="checked" name="lf_private" id="lf_private"> |
@@ -32,7 +32,7 @@ | |||
32 | <input type="submit" value="Cancel" name="cancel_edit" class="bigbutton"> | 32 | <input type="submit" value="Cancel" name="cancel_edit" class="bigbutton"> |
33 | {if="!$link_is_new"}<input type="submit" value="Delete" name="delete_link" class="bigbutton delete" onClick="return confirmDeleteLink();">{/if} | 33 | {if="!$link_is_new"}<input type="submit" value="Delete" name="delete_link" class="bigbutton delete" onClick="return confirmDeleteLink();">{/if} |
34 | <input type="hidden" name="token" value="{$token}"> | 34 | <input type="hidden" name="token" value="{$token}"> |
35 | {if="$http_referer"}<input type="hidden" name="returnurl" value="{$http_referer|htmlspecialchars}">{/if} | 35 | {if="$http_referer"}<input type="hidden" name="returnurl" value="{$http_referer}">{/if} |
36 | </form> | 36 | </form> |
37 | </div> | 37 | </div> |
38 | </div> | 38 | </div> |