From 5f85fcd863fe261921953ea3bd1742f3e1b7cf68 Mon Sep 17 00:00:00 2001
From: ArthurHoaro <arthur@hoa.ro>
Date: Thu, 11 Jun 2015 13:53:27 +0200
Subject: Working on shaarli/Shaarli#224

I reviewed character escaping everywhere with the following ideas:

  * use a single common function to escape user data: `escape` using `htmlspecialchars`.
  * sanitize fields in `index.php` after reading them from datastore and before sending them to templates.
  	It means no escaping function in Twig templates.
    2 reasons:
    * it reduces risks of security issue for future user made templates
    * more readable templates
  * sanitize user configuration fields after loading them.
---
 tpl/dailyrss.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'tpl/dailyrss.html')

diff --git a/tpl/dailyrss.html b/tpl/dailyrss.html
index a9b11e18..1b7ab8e9 100644
--- a/tpl/dailyrss.html
+++ b/tpl/dailyrss.html
@@ -1,7 +1,7 @@
 {loop="links"}
-	<h3><a href="{$value.url}">{$value.title|htmlspecialchars}</a></h3>
-	<small>{if="!$GLOBALS['config']['HIDE_TIMESTAMPS']"}{function="strftime('%c', $value.timestamp)"} - {/if}{if="$value.tags"}{$value.tags|htmlspecialchars}{/if}<br>
-	{$value.url|htmlspecialchars}</small><br>
+	<h3><a href="{$value.url}">{$value.title}</a></h3>
+	<small>{if="!$GLOBALS['config']['HIDE_TIMESTAMPS']"}{function="strftime('%c', $value.timestamp)"} - {/if}{if="$value.tags"}{$value.tags}{/if}<br>
+	{$value.url}</small><br>
 	{if="$value.thumbnail"}{$value.thumbnail}{/if}<br>
 	{if="$value.description"}{$value.formatedDescription}{/if}
 	<br><br><hr>
-- 
cgit v1.2.3