Working on shaarli/Shaarli#224

I reviewed character escaping everywhere with the following ideas:

  * use a single common function to escape user data: `escape` using `htmlspecialchars`.
  * sanitize fields in `index.php` after reading them from datastore and before sending them to templates.
  	It means no escaping function in Twig templates.
    2 reasons:
    * it reduces risks of security issue for future user made templates
    * more readable templates
  * sanitize user configuration fields after loading them.

1 files changed, 2 insertions, 2 deletions

diff --git a/tpl/import.html b/tpl/import.html
index 9ac3c2f9..6c4f9421 100644
--- a/tpl/import.html
+++ b/tpl/import.html
@@ -5,11 +5,11 @@
 <div id="pageheader">
         {include="page.header"}
         <div id="uploaddiv">
-        Import Netscape HTML bookmarks (as exported from Firefox/Chrome/Opera/Delicious/Diigo...) (Max: {$maxfilesize|htmlspecialchars} bytes).
+        Import Netscape HTML bookmarks (as exported from Firefox/Chrome/Opera/Delicious/Diigo...) (Max: {$maxfilesize} bytes).
         <form method="POST" action="?do=upload" enctype="multipart/form-data" name="uploadform" id="uploadform">
             <input type="hidden" name="token" value="{$token}">
             <input type="file" name="filetoupload">
-            <input type="hidden" name="MAX_FILE_SIZE" value="{$maxfilesize|htmlspecialchars}">
+            <input type="hidden" name="MAX_FILE_SIZE" value="{$maxfilesize}">
             <input type="submit" name="import_file" value="Import" class="bigbutton"><br>
             <input type="checkbox" name="private" id="private"><label for="private">&nbsp;Import all links as private</label><br>
             <input type="checkbox" name="overwrite" id="overwrite"><label for="overwrite">&nbsp;Overwrite existing links</label>