From 5f85fcd863fe261921953ea3bd1742f3e1b7cf68 Mon Sep 17 00:00:00 2001
From: ArthurHoaro <arthur@hoa.ro>
Date: Thu, 11 Jun 2015 13:53:27 +0200
Subject: Working on shaarli/Shaarli#224

I reviewed character escaping everywhere with the following ideas:

  * use a single common function to escape user data: `escape` using `htmlspecialchars`.
  * sanitize fields in `index.php` after reading them from datastore and before sending them to templates.
  	It means no escaping function in Twig templates.
    2 reasons:
    * it reduces risks of security issue for future user made templates
    * more readable templates
  * sanitize user configuration fields after loading them.
---
 tpl/picwall.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'tpl/picwall.html')

diff --git a/tpl/picwall.html b/tpl/picwall.html
index e686afe1..9a2a4715 100644
--- a/tpl/picwall.html
+++ b/tpl/picwall.html
@@ -9,7 +9,7 @@
         <div id="picwall_container">
             {loop="linksToDisplay"}
             <div class="picwall_pictureframe">
-        	    {$value.thumbnail}<a href="{$value.url}"><span class="info">{$value.title|htmlspecialchars}</span></a>
+        	    {$value.thumbnail}<a href="{$value.url}"><span class="info">{$value.title}</span></a>
             </div>
             {/loop}
         </div>
-- 
cgit v1.2.3