diff options
| author | ArthurHoaro <arthur@hoa.ro> | 2015-06-11 13:53:27 +0200 |
|---|---|---|
| committer | ArthurHoaro <arthur@hoa.ro> | 2015-06-23 16:35:36 +0200 |
| commit | 5f85fcd863fe261921953ea3bd1742f3e1b7cf68 (patch) | |
| tree | 5615922c1c696ec04cc60625a8d401b2b297a462 /tpl/tagcloud.html | |
| parent | 0923a2bc1b097bf1def882722db489d83d95c423 (diff) | |
| download | Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.gz Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.zst Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.zip | |
Working on shaarli/Shaarli#224
I reviewed character escaping everywhere with the following ideas:
* use a single common function to escape user data: `escape` using `htmlspecialchars`.
* sanitize fields in `index.php` after reading them from datastore and before sending them to templates.
It means no escaping function in Twig templates.
2 reasons:
* it reduces risks of security issue for future user made templates
* more readable templates
* sanitize user configuration fields after loading them.
Diffstat (limited to 'tpl/tagcloud.html')
| -rw-r--r-- | tpl/tagcloud.html | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/tpl/tagcloud.html b/tpl/tagcloud.html index 97205e2b..092f2294 100644 --- a/tpl/tagcloud.html +++ b/tpl/tagcloud.html | |||
| @@ -6,7 +6,7 @@ | |||
| 6 | <div class="center"> | 6 | <div class="center"> |
| 7 | <div id="cloudtag"> | 7 | <div id="cloudtag"> |
| 8 | {loop="tags"} | 8 | {loop="tags"} |
| 9 | <span class="count">{$value.count}</span><a href="?searchtags={$key|urlencode}" style="font-size:{$value.size}pt;">{$key|htmlspecialchars}</a> | 9 | <span class="count">{$value.count}</span><a href="?searchtags={$key|urlencode}" style="font-size:{$value.size}pt;">{$key}</a> |
| 10 | {/loop} | 10 | {/loop} |
| 11 | </div> | 11 | </div> |
| 12 | </div> | 12 | </div> |