From 5f85fcd863fe261921953ea3bd1742f3e1b7cf68 Mon Sep 17 00:00:00 2001 From: ArthurHoaro Date: Thu, 11 Jun 2015 13:53:27 +0200 Subject: Working on shaarli/Shaarli#224 I reviewed character escaping everywhere with the following ideas: * use a single common function to escape user data: `escape` using `htmlspecialchars`. * sanitize fields in `index.php` after reading them from datastore and before sending them to templates. It means no escaping function in Twig templates. 2 reasons: * it reduces risks of security issue for future user made templates * more readable templates * sanitize user configuration fields after loading them. --- tpl/page.footer.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tpl/page.footer.html') diff --git a/tpl/page.footer.html b/tpl/page.footer.html index 42c621b9..8143669d 100644 --- a/tpl/page.footer.html +++ b/tpl/page.footer.html @@ -2,7 +2,7 @@ Shaarli - The personal, minimalist, super-fast, no-database delicious clone by the Shaarli community - Help/documentation {if="$newversion"} -
Shaarli {$newversion|htmlspecialchars} is available.
+
Shaarli {$newversion} is available.
{/if} {if="isLoggedIn()"} -- cgit v1.2.3