Working on shaarli/Shaarli#224

I reviewed character escaping everywhere with the following ideas: * use a single common function to escape user data: `escape` using `htmlspecialchars`. * sanitize fields in `index.php` after reading them from datastore and before sending them to templates. It means no escaping function in Twig templates. 2 reasons: * it reduces risks of security issue for future user made templates * more readable templates * sanitize user configuration fields after loading them.
author: ArthurHoaro <arthur@hoa.ro> 2015-06-11 13:53:27 +0200
committer: ArthurHoaro <arthur@hoa.ro> 2015-06-23 16:35:36 +0200
commit: 5f85fcd863fe261921953ea3bd1742f3e1b7cf68 (patch)
tree: 5615922c1c696ec04cc60625a8d401b2b297a462 /tpl/loginform.html
parent: 0923a2bc1b097bf1def882722db489d83d95c423 (diff)
download: Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.gz
Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.zst
Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/tpl/loginform.html b/tpl/loginform.html
index 91b948dd..678375fd 100644
--- a/tpl/loginform.html
+++ b/tpl/loginform.html
@@ -17,7 +17,7 @@
    <input type="checkbox" name="longlastingsession" id="longlastingsession" tabindex="3">
    Stay signed in (Do not check on public computers)</label>
    <input type="hidden" name="token" value="{$token}">
-    {if="$returnurl"}<input type="hidden" name="returnurl" value="{$returnurl|htmlspecialchars}">{/if}
+    {if="$returnurl"}<input type="hidden" name="returnurl" value="{$returnurl}">{/if}
    </form>
 {/if}
    </div>
author	ArthurHoaro <arthur@hoa.ro>	2015-06-11 13:53:27 +0200
committer	ArthurHoaro <arthur@hoa.ro>	2015-06-23 16:35:36 +0200
commit	5f85fcd863fe261921953ea3bd1742f3e1b7cf68 (patch)
tree	5615922c1c696ec04cc60625a8d401b2b297a462 /tpl/loginform.html
parent	0923a2bc1b097bf1def882722db489d83d95c423 (diff)
download	Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.gz Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.zst Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.zip

diff --git a/tpl/loginform.html b/tpl/loginform.html index 91b948dd..678375fd 100644 --- a/tpl/loginform.html +++ b/tpl/loginform.html
@@ -17,7 +17,7 @@
17	<input type="checkbox" name="longlastingsession" id="longlastingsession" tabindex="3">	17	<input type="checkbox" name="longlastingsession" id="longlastingsession" tabindex="3">
18	Stay signed in (Do not check on public computers)</label>	18	Stay signed in (Do not check on public computers)</label>
19	<input type="hidden" name="token" value="{$token}">	19	<input type="hidden" name="token" value="{$token}">
20	{if="$returnurl"}<input type="hidden" name="returnurl" value="{$returnurl\|htmlspecialchars}">{/if}	20	{if="$returnurl"}<input type="hidden" name="returnurl" value="{$returnurl}">{/if}
21	</form>	21	</form>
22	{/if}	22	{/if}
23	</div>	23	</div>