From 5f85fcd863fe261921953ea3bd1742f3e1b7cf68 Mon Sep 17 00:00:00 2001
From: ArthurHoaro <arthur@hoa.ro>
Date: Thu, 11 Jun 2015 13:53:27 +0200
Subject: Working on shaarli/Shaarli#224

I reviewed character escaping everywhere with the following ideas:

  * use a single common function to escape user data: `escape` using `htmlspecialchars`.
  * sanitize fields in `index.php` after reading them from datastore and before sending them to templates.
  	It means no escaping function in Twig templates.
    2 reasons:
    * it reduces risks of security issue for future user made templates
    * more readable templates
  * sanitize user configuration fields after loading them.
---
 application/LinkDB.php | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'application')

diff --git a/application/LinkDB.php b/application/LinkDB.php
index 137f42e5..0f7c5bfe 100644
--- a/application/LinkDB.php
+++ b/application/LinkDB.php
@@ -245,6 +245,11 @@ class LinkDB implements Iterator, Countable, ArrayAccess
         foreach ($this->links as $link) {
             $this->urls[$link['url']] = $link['linkdate'];
         }
+
+        // Escape links data
+        foreach($this->links as &$link) { 
+            sanitizeLink($link); 
+        }
     }
 
     /**
-- 
cgit v1.2.3