diff options
author | ArthurHoaro <arthur@hoa.ro> | 2015-06-11 13:53:27 +0200 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2015-06-23 16:35:36 +0200 |
commit | 5f85fcd863fe261921953ea3bd1742f3e1b7cf68 (patch) | |
tree | 5615922c1c696ec04cc60625a8d401b2b297a462 /tpl | |
parent | 0923a2bc1b097bf1def882722db489d83d95c423 (diff) | |
download | Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.gz Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.tar.zst Shaarli-5f85fcd863fe261921953ea3bd1742f3e1b7cf68.zip |
Working on shaarli/Shaarli#224
I reviewed character escaping everywhere with the following ideas:
* use a single common function to escape user data: `escape` using `htmlspecialchars`.
* sanitize fields in `index.php` after reading them from datastore and before sending them to templates.
It means no escaping function in Twig templates.
2 reasons:
* it reduces risks of security issue for future user made templates
* more readable templates
* sanitize user configuration fields after loading them.
Diffstat (limited to 'tpl')
-rw-r--r-- | tpl/daily.html | 4 | ||||
-rw-r--r-- | tpl/dailyrss.html | 6 | ||||
-rw-r--r-- | tpl/editlink.html | 10 | ||||
-rw-r--r-- | tpl/import.html | 4 | ||||
-rw-r--r-- | tpl/linklist.html | 10 | ||||
-rw-r--r-- | tpl/loginform.html | 2 | ||||
-rw-r--r-- | tpl/page.footer.html | 2 | ||||
-rw-r--r-- | tpl/page.header.html | 2 | ||||
-rw-r--r-- | tpl/picwall.html | 2 | ||||
-rw-r--r-- | tpl/tagcloud.html | 2 |
10 files changed, 22 insertions, 22 deletions
diff --git a/tpl/daily.html b/tpl/daily.html index 0f762490..38aa4012 100644 --- a/tpl/daily.html +++ b/tpl/daily.html | |||
@@ -36,12 +36,12 @@ | |||
36 | {if="$link.tags"} | 36 | {if="$link.tags"} |
37 | <div class="dailyEntryTags"> | 37 | <div class="dailyEntryTags"> |
38 | {loop="link.taglist"} | 38 | {loop="link.taglist"} |
39 | {$value|htmlspecialchars} - | 39 | {$value} - |
40 | {/loop} | 40 | {/loop} |
41 | </div> | 41 | </div> |
42 | {/if} | 42 | {/if} |
43 | <div class="dailyEntryTitle"> | 43 | <div class="dailyEntryTitle"> |
44 | <a href="{$link.url}">{$link.title|htmlspecialchars}</a> | 44 | <a href="{$link.url}">{$link.title}</a> |
45 | </div> | 45 | </div> |
46 | {if="$link.thumbnail"} | 46 | {if="$link.thumbnail"} |
47 | <div class="dailyEntryThumbnail">{$link.thumbnail}</div> | 47 | <div class="dailyEntryThumbnail">{$link.thumbnail}</div> |
diff --git a/tpl/dailyrss.html b/tpl/dailyrss.html index a9b11e18..1b7ab8e9 100644 --- a/tpl/dailyrss.html +++ b/tpl/dailyrss.html | |||
@@ -1,7 +1,7 @@ | |||
1 | {loop="links"} | 1 | {loop="links"} |
2 | <h3><a href="{$value.url}">{$value.title|htmlspecialchars}</a></h3> | 2 | <h3><a href="{$value.url}">{$value.title}</a></h3> |
3 | <small>{if="!$GLOBALS['config']['HIDE_TIMESTAMPS']"}{function="strftime('%c', $value.timestamp)"} - {/if}{if="$value.tags"}{$value.tags|htmlspecialchars}{/if}<br> | 3 | <small>{if="!$GLOBALS['config']['HIDE_TIMESTAMPS']"}{function="strftime('%c', $value.timestamp)"} - {/if}{if="$value.tags"}{$value.tags}{/if}<br> |
4 | {$value.url|htmlspecialchars}</small><br> | 4 | {$value.url}</small><br> |
5 | {if="$value.thumbnail"}{$value.thumbnail}{/if}<br> | 5 | {if="$value.thumbnail"}{$value.thumbnail}{/if}<br> |
6 | {if="$value.description"}{$value.formatedDescription}{/if} | 6 | {if="$value.description"}{$value.formatedDescription}{/if} |
7 | <br><br><hr> | 7 | <br><br><hr> |
diff --git a/tpl/editlink.html b/tpl/editlink.html index 0276f088..6737c412 100644 --- a/tpl/editlink.html +++ b/tpl/editlink.html | |||
@@ -15,11 +15,11 @@ | |||
15 | <div id="editlinkform"> | 15 | <div id="editlinkform"> |
16 | <form method="post" name="linkform"> | 16 | <form method="post" name="linkform"> |
17 | <input type="hidden" name="lf_linkdate" value="{$link.linkdate}"> | 17 | <input type="hidden" name="lf_linkdate" value="{$link.linkdate}"> |
18 | <label for="lf_url"><i>URL</i></label><br><input type="text" name="lf_url" id="lf_url" value="{$link.url|htmlspecialchars}" class="lf_input"><br> | 18 | <label for="lf_url"><i>URL</i></label><br><input type="text" name="lf_url" id="lf_url" value="{$link.url}" class="lf_input"><br> |
19 | <label for="lf_title"><i>Title</i></label><br><input type="text" name="lf_title" id="lf_title" value="{$link.title|htmlspecialchars}" class="lf_input"><br> | 19 | <label for="lf_title"><i>Title</i></label><br><input type="text" name="lf_title" id="lf_title" value="{$link.title}" class="lf_input"><br> |
20 | <label for="lf_description"><i>Description</i></label><br><textarea name="lf_description" id="lf_description" rows="4" cols="25">{$link.description|htmlspecialchars}</textarea><br> | 20 | <label for="lf_description"><i>Description</i></label><br><textarea name="lf_description" id="lf_description" rows="4" cols="25">{$link.description}</textarea><br> |
21 | <label for="lf_tags"><i>Tags</i></label><br> | 21 | <label for="lf_tags"><i>Tags</i></label><br> |
22 | <input type="text" id="lf_tags" name="lf_tags" id="lf_tags" value="{$link.tags|htmlspecialchars}" class="lf_input" | 22 | <input type="text" id="lf_tags" name="lf_tags" id="lf_tags" value="{$link.tags}" class="lf_input" |
23 | data-list="{loop="$tags"}{$key}, {/loop}" data-multiple autocomplete="off" ><br> | 23 | data-list="{loop="$tags"}{$key}, {/loop}" data-multiple autocomplete="off" ><br> |
24 | {if="($link_is_new && $GLOBALS['privateLinkByDefault']==true) || $link.private == true"} | 24 | {if="($link_is_new && $GLOBALS['privateLinkByDefault']==true) || $link.private == true"} |
25 | <input type="checkbox" checked="checked" name="lf_private" id="lf_private"> | 25 | <input type="checkbox" checked="checked" name="lf_private" id="lf_private"> |
@@ -32,7 +32,7 @@ | |||
32 | <input type="submit" value="Cancel" name="cancel_edit" class="bigbutton"> | 32 | <input type="submit" value="Cancel" name="cancel_edit" class="bigbutton"> |
33 | {if="!$link_is_new"}<input type="submit" value="Delete" name="delete_link" class="bigbutton delete" onClick="return confirmDeleteLink();">{/if} | 33 | {if="!$link_is_new"}<input type="submit" value="Delete" name="delete_link" class="bigbutton delete" onClick="return confirmDeleteLink();">{/if} |
34 | <input type="hidden" name="token" value="{$token}"> | 34 | <input type="hidden" name="token" value="{$token}"> |
35 | {if="$http_referer"}<input type="hidden" name="returnurl" value="{$http_referer|htmlspecialchars}">{/if} | 35 | {if="$http_referer"}<input type="hidden" name="returnurl" value="{$http_referer}">{/if} |
36 | </form> | 36 | </form> |
37 | </div> | 37 | </div> |
38 | </div> | 38 | </div> |
diff --git a/tpl/import.html b/tpl/import.html index 9ac3c2f9..6c4f9421 100644 --- a/tpl/import.html +++ b/tpl/import.html | |||
@@ -5,11 +5,11 @@ | |||
5 | <div id="pageheader"> | 5 | <div id="pageheader"> |
6 | {include="page.header"} | 6 | {include="page.header"} |
7 | <div id="uploaddiv"> | 7 | <div id="uploaddiv"> |
8 | Import Netscape HTML bookmarks (as exported from Firefox/Chrome/Opera/Delicious/Diigo...) (Max: {$maxfilesize|htmlspecialchars} bytes). | 8 | Import Netscape HTML bookmarks (as exported from Firefox/Chrome/Opera/Delicious/Diigo...) (Max: {$maxfilesize} bytes). |
9 | <form method="POST" action="?do=upload" enctype="multipart/form-data" name="uploadform" id="uploadform"> | 9 | <form method="POST" action="?do=upload" enctype="multipart/form-data" name="uploadform" id="uploadform"> |
10 | <input type="hidden" name="token" value="{$token}"> | 10 | <input type="hidden" name="token" value="{$token}"> |
11 | <input type="file" name="filetoupload"> | 11 | <input type="file" name="filetoupload"> |
12 | <input type="hidden" name="MAX_FILE_SIZE" value="{$maxfilesize|htmlspecialchars}"> | 12 | <input type="hidden" name="MAX_FILE_SIZE" value="{$maxfilesize}"> |
13 | <input type="submit" name="import_file" value="Import" class="bigbutton"><br> | 13 | <input type="submit" name="import_file" value="Import" class="bigbutton"><br> |
14 | <input type="checkbox" name="private" id="private"><label for="private"> Import all links as private</label><br> | 14 | <input type="checkbox" name="private" id="private"><label for="private"> Import all links as private</label><br> |
15 | <input type="checkbox" name="overwrite" id="overwrite"><label for="overwrite"> Overwrite existing links</label> | 15 | <input type="checkbox" name="overwrite" id="overwrite"><label for="overwrite"> Overwrite existing links</label> |
diff --git a/tpl/linklist.html b/tpl/linklist.html index a59a9e51..daf87060 100644 --- a/tpl/linklist.html +++ b/tpl/linklist.html | |||
@@ -33,7 +33,7 @@ | |||
33 | {if="$search_type=='tags'"} | 33 | {if="$search_type=='tags'"} |
34 | <div id="searchcriteria">{$result_count} results for tags <i> | 34 | <div id="searchcriteria">{$result_count} results for tags <i> |
35 | {loop="search_crits"} | 35 | {loop="search_crits"} |
36 | <span class="linktag" title="Remove tag"><a href="?removetag={$value|htmlspecialchars}">{$value|htmlspecialchars} <span class="remove">x</span></a></span> | 36 | <span class="linktag" title="Remove tag"><a href="?removetag={$value}">{$value} <span class="remove">x</span></a></span> |
37 | {/loop}</i></div> | 37 | {/loop}</i></div> |
38 | {/if} | 38 | {/if} |
39 | {/if} | 39 | {/if} |
@@ -50,7 +50,7 @@ | |||
50 | <input type="hidden" name="token" value="{$token}"><input type="hidden" name="delete_link"><input type="image" alt="Delete" src="images/delete_icon.png#" title="Delete" class="button_delete" onClick="return confirmDeleteLink();"></form> | 50 | <input type="hidden" name="token" value="{$token}"><input type="hidden" name="delete_link"><input type="image" alt="Delete" src="images/delete_icon.png#" title="Delete" class="button_delete" onClick="return confirmDeleteLink();"></form> |
51 | </div> | 51 | </div> |
52 | {/if} | 52 | {/if} |
53 | <span class="linktitle"><a href="{$redirector}{$value.url|htmlspecialchars}">{$value.title|htmlspecialchars}</a></span> | 53 | <span class="linktitle"><a href="{$redirector}{$value.url}">{$value.title}</a></span> |
54 | <br> | 54 | <br> |
55 | {if="$value.description"}<div class="linkdescription">{$value.description}</div>{/if} | 55 | {if="$value.description"}<div class="linkdescription">{$value.description}</div>{/if} |
56 | {if="!$GLOBALS['config']['HIDE_TIMESTAMPS'] || isLoggedIn()"} | 56 | {if="!$GLOBALS['config']['HIDE_TIMESTAMPS'] || isLoggedIn()"} |
@@ -59,15 +59,15 @@ | |||
59 | <span class="linkdate" title="Short link here"><a href="?{$value.linkdate|smallHash}">permalink</a> - </span> | 59 | <span class="linkdate" title="Short link here"><a href="?{$value.linkdate|smallHash}">permalink</a> - </span> |
60 | {/if} | 60 | {/if} |
61 | {if="$GLOBALS['config']['ARCHIVE_ORG']"} | 61 | {if="$GLOBALS['config']['ARCHIVE_ORG']"} |
62 | <span class="linkarchive"><a href="https://web.archive.org/web/{$value.url|htmlspecialchars}">archive</a> - </span> | 62 | <span class="linkarchive"><a href="https://web.archive.org/web/{$value.url}">archive</a> - </span> |
63 | {/if} | 63 | {/if} |
64 | <div class="linkqrcode"><a href="http://qrfree.kaywa.com/?l=1&s=8&d={$scripturl|urlencode}%3F{$value.linkdate|smallHash}" | 64 | <div class="linkqrcode"><a href="http://qrfree.kaywa.com/?l=1&s=8&d={$scripturl|urlencode}%3F{$value.linkdate|smallHash}" |
65 | onclick="return showQrCode(this);" class="qrcode" data-permalink="{$scripturl}?{$value.linkdate|smallHash}"> | 65 | onclick="return showQrCode(this);" class="qrcode" data-permalink="{$scripturl}?{$value.linkdate|smallHash}"> |
66 | <img src="images/qrcode.png#" alt="QR-Code" title="{function="strftime('%c', $value.timestamp)"}"></a></div> - | 66 | <img src="images/qrcode.png#" alt="QR-Code" title="{function="strftime('%c', $value.timestamp)"}"></a></div> - |
67 | <a href="{$value.url|htmlspecialchars}"><span class="linkurl" title="Short link">{$value.url|htmlspecialchars}</span></a><br> | 67 | <a href="{$value.url}"><span class="linkurl" title="Short link">{$value.url}</span></a><br> |
68 | {if="$value.tags"} | 68 | {if="$value.tags"} |
69 | <div class="linktaglist"> | 69 | <div class="linktaglist"> |
70 | {loop="value.taglist"}<span class="linktag" title="Add tag"><a href="?addtag={$value|urlencode}">{$value|htmlspecialchars}</a></span> {/loop} | 70 | {loop="value.taglist"}<span class="linktag" title="Add tag"><a href="?addtag={$value|urlencode}">{$value}</a></span> {/loop} |
71 | </div> | 71 | </div> |
72 | {/if} | 72 | {/if} |
73 | </div> | 73 | </div> |
diff --git a/tpl/loginform.html b/tpl/loginform.html index 91b948dd..678375fd 100644 --- a/tpl/loginform.html +++ b/tpl/loginform.html | |||
@@ -17,7 +17,7 @@ | |||
17 | <input type="checkbox" name="longlastingsession" id="longlastingsession" tabindex="3"> | 17 | <input type="checkbox" name="longlastingsession" id="longlastingsession" tabindex="3"> |
18 | Stay signed in (Do not check on public computers)</label> | 18 | Stay signed in (Do not check on public computers)</label> |
19 | <input type="hidden" name="token" value="{$token}"> | 19 | <input type="hidden" name="token" value="{$token}"> |
20 | {if="$returnurl"}<input type="hidden" name="returnurl" value="{$returnurl|htmlspecialchars}">{/if} | 20 | {if="$returnurl"}<input type="hidden" name="returnurl" value="{$returnurl}">{/if} |
21 | </form> | 21 | </form> |
22 | {/if} | 22 | {/if} |
23 | </div> | 23 | </div> |
diff --git a/tpl/page.footer.html b/tpl/page.footer.html index 42c621b9..8143669d 100644 --- a/tpl/page.footer.html +++ b/tpl/page.footer.html | |||
@@ -2,7 +2,7 @@ | |||
2 | <b><a href="https://github.com/shaarli/Shaarli">Shaarli</a></b> - The personal, minimalist, super-fast, no-database delicious clone by the <a href="https://github.com/shaarli/Shaarli">Shaarli</a> community - <a href="doc/Home.html">Help/documentation</a> | 2 | <b><a href="https://github.com/shaarli/Shaarli">Shaarli</a></b> - The personal, minimalist, super-fast, no-database delicious clone by the <a href="https://github.com/shaarli/Shaarli">Shaarli</a> community - <a href="doc/Home.html">Help/documentation</a> |
3 | </div> | 3 | </div> |
4 | {if="$newversion"} | 4 | {if="$newversion"} |
5 | <div id="newversion"><span id="version_id">●</span> Shaarli {$newversion|htmlspecialchars} is <a href="https://github.com/shaarli/Shaarli/releases">available</a>.</div> | 5 | <div id="newversion"><span id="version_id">●</span> Shaarli {$newversion} is <a href="https://github.com/shaarli/Shaarli/releases">available</a>.</div> |
6 | {/if} | 6 | {/if} |
7 | {if="isLoggedIn()"} | 7 | {if="isLoggedIn()"} |
8 | <script>function confirmDeleteLink() { var agree=confirm("Are you sure you want to delete this link ?"); if (agree) return true ; else return false ; }</script> | 8 | <script>function confirmDeleteLink() { var agree=confirm("Are you sure you want to delete this link ?"); if (agree) return true ; else return false ; }</script> |
diff --git a/tpl/page.header.html b/tpl/page.header.html index 0fd65e40..2d186aa2 100644 --- a/tpl/page.header.html +++ b/tpl/page.header.html | |||
@@ -8,7 +8,7 @@ | |||
8 | <div id="menu"> | 8 | <div id="menu"> |
9 | <ul> | 9 | <ul> |
10 | <li><span id="shaarli_title"> | 10 | <li><span id="shaarli_title"> |
11 | <a href="{$titleLink}">{$shaarlititle|htmlspecialchars}</a> | 11 | <a href="{$titleLink}">{$shaarlititle}</a> |
12 | </span> | 12 | </span> |
13 | </li> | 13 | </li> |
14 | 14 | ||
diff --git a/tpl/picwall.html b/tpl/picwall.html index e686afe1..9a2a4715 100644 --- a/tpl/picwall.html +++ b/tpl/picwall.html | |||
@@ -9,7 +9,7 @@ | |||
9 | <div id="picwall_container"> | 9 | <div id="picwall_container"> |
10 | {loop="linksToDisplay"} | 10 | {loop="linksToDisplay"} |
11 | <div class="picwall_pictureframe"> | 11 | <div class="picwall_pictureframe"> |
12 | {$value.thumbnail}<a href="{$value.url}"><span class="info">{$value.title|htmlspecialchars}</span></a> | 12 | {$value.thumbnail}<a href="{$value.url}"><span class="info">{$value.title}</span></a> |
13 | </div> | 13 | </div> |
14 | {/loop} | 14 | {/loop} |
15 | </div> | 15 | </div> |
diff --git a/tpl/tagcloud.html b/tpl/tagcloud.html index 97205e2b..092f2294 100644 --- a/tpl/tagcloud.html +++ b/tpl/tagcloud.html | |||
@@ -6,7 +6,7 @@ | |||
6 | <div class="center"> | 6 | <div class="center"> |
7 | <div id="cloudtag"> | 7 | <div id="cloudtag"> |
8 | {loop="tags"} | 8 | {loop="tags"} |
9 | <span class="count">{$value.count}</span><a href="?searchtags={$key|urlencode}" style="font-size:{$value.size}pt;">{$key|htmlspecialchars}</a> | 9 | <span class="count">{$value.count}</span><a href="?searchtags={$key|urlencode}" style="font-size:{$value.size}pt;">{$key}</a> |
10 | {/loop} | 10 | {/loop} |
11 | </div> | 11 | </div> |
12 | </div> | 12 | </div> |