From 5f85fcd863fe261921953ea3bd1742f3e1b7cf68 Mon Sep 17 00:00:00 2001
From: ArthurHoaro <arthur@hoa.ro>
Date: Thu, 11 Jun 2015 13:53:27 +0200
Subject: Working on shaarli/Shaarli#224

I reviewed character escaping everywhere with the following ideas:

  * use a single common function to escape user data: `escape` using `htmlspecialchars`.
  * sanitize fields in `index.php` after reading them from datastore and before sending them to templates.
  	It means no escaping function in Twig templates.
    2 reasons:
    * it reduces risks of security issue for future user made templates
    * more readable templates
  * sanitize user configuration fields after loading them.
---
 tpl/loginform.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'tpl/loginform.html')

diff --git a/tpl/loginform.html b/tpl/loginform.html
index 91b948dd..678375fd 100644
--- a/tpl/loginform.html
+++ b/tpl/loginform.html
@@ -17,7 +17,7 @@
     <input type="checkbox" name="longlastingsession" id="longlastingsession" tabindex="3">
     Stay signed in (Do not check on public computers)</label>
     <input type="hidden" name="token" value="{$token}">
-    {if="$returnurl"}<input type="hidden" name="returnurl" value="{$returnurl|htmlspecialchars}">{/if}
+    {if="$returnurl"}<input type="hidden" name="returnurl" value="{$returnurl}">{/if}
     </form>
 {/if}
     </div>
-- 
cgit v1.2.3