From 5f85fcd863fe261921953ea3bd1742f3e1b7cf68 Mon Sep 17 00:00:00 2001 From: ArthurHoaro <arthur@hoa.ro> Date: Thu, 11 Jun 2015 13:53:27 +0200 Subject: Working on shaarli/Shaarli#224 I reviewed character escaping everywhere with the following ideas: * use a single common function to escape user data: `escape` using `htmlspecialchars`. * sanitize fields in `index.php` after reading them from datastore and before sending them to templates. It means no escaping function in Twig templates. 2 reasons: * it reduces risks of security issue for future user made templates * more readable templates * sanitize user configuration fields after loading them. --- tpl/editlink.html | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'tpl/editlink.html') diff --git a/tpl/editlink.html b/tpl/editlink.html index 0276f088..6737c412 100644 --- a/tpl/editlink.html +++ b/tpl/editlink.html @@ -15,11 +15,11 @@ <div id="editlinkform"> <form method="post" name="linkform"> <input type="hidden" name="lf_linkdate" value="{$link.linkdate}"> - <label for="lf_url"><i>URL</i></label><br><input type="text" name="lf_url" id="lf_url" value="{$link.url|htmlspecialchars}" class="lf_input"><br> - <label for="lf_title"><i>Title</i></label><br><input type="text" name="lf_title" id="lf_title" value="{$link.title|htmlspecialchars}" class="lf_input"><br> - <label for="lf_description"><i>Description</i></label><br><textarea name="lf_description" id="lf_description" rows="4" cols="25">{$link.description|htmlspecialchars}</textarea><br> + <label for="lf_url"><i>URL</i></label><br><input type="text" name="lf_url" id="lf_url" value="{$link.url}" class="lf_input"><br> + <label for="lf_title"><i>Title</i></label><br><input type="text" name="lf_title" id="lf_title" value="{$link.title}" class="lf_input"><br> + <label for="lf_description"><i>Description</i></label><br><textarea name="lf_description" id="lf_description" rows="4" cols="25">{$link.description}</textarea><br> <label for="lf_tags"><i>Tags</i></label><br> - <input type="text" id="lf_tags" name="lf_tags" id="lf_tags" value="{$link.tags|htmlspecialchars}" class="lf_input" + <input type="text" id="lf_tags" name="lf_tags" id="lf_tags" value="{$link.tags}" class="lf_input" data-list="{loop="$tags"}{$key}, {/loop}" data-multiple autocomplete="off" ><br> {if="($link_is_new && $GLOBALS['privateLinkByDefault']==true) || $link.private == true"} <input type="checkbox" checked="checked" name="lf_private" id="lf_private"> @@ -32,7 +32,7 @@ <input type="submit" value="Cancel" name="cancel_edit" class="bigbutton"> {if="!$link_is_new"}<input type="submit" value="Delete" name="delete_link" class="bigbutton delete" onClick="return confirmDeleteLink();">{/if} <input type="hidden" name="token" value="{$token}"> - {if="$http_referer"}<input type="hidden" name="returnurl" value="{$http_referer|htmlspecialchars}">{/if} + {if="$http_referer"}<input type="hidden" name="returnurl" value="{$http_referer}">{/if} </form> </div> </div> -- cgit v1.2.3