From 5f85fcd863fe261921953ea3bd1742f3e1b7cf68 Mon Sep 17 00:00:00 2001
From: ArthurHoaro <arthur@hoa.ro>
Date: Thu, 11 Jun 2015 13:53:27 +0200
Subject: Working on shaarli/Shaarli#224

I reviewed character escaping everywhere with the following ideas:

  * use a single common function to escape user data: `escape` using `htmlspecialchars`.
  * sanitize fields in `index.php` after reading them from datastore and before sending them to templates.
  	It means no escaping function in Twig templates.
    2 reasons:
    * it reduces risks of security issue for future user made templates
    * more readable templates
  * sanitize user configuration fields after loading them.
---
 tpl/daily.html       |  4 ++--
 tpl/dailyrss.html    |  6 +++---
 tpl/editlink.html    | 10 +++++-----
 tpl/import.html      |  4 ++--
 tpl/linklist.html    | 10 +++++-----
 tpl/loginform.html   |  2 +-
 tpl/page.footer.html |  2 +-
 tpl/page.header.html |  2 +-
 tpl/picwall.html     |  2 +-
 tpl/tagcloud.html    |  2 +-
 10 files changed, 22 insertions(+), 22 deletions(-)

(limited to 'tpl')

diff --git a/tpl/daily.html b/tpl/daily.html
index 0f762490..38aa4012 100644
--- a/tpl/daily.html
+++ b/tpl/daily.html
@@ -36,12 +36,12 @@
                         {if="$link.tags"}
                             <div class="dailyEntryTags">
                                 {loop="link.taglist"}
-                                    {$value|htmlspecialchars} -
+                                    {$value} -
                                 {/loop}
                             </div>
                         {/if}
                         <div class="dailyEntryTitle">
-                            <a href="{$link.url}">{$link.title|htmlspecialchars}</a>
+                            <a href="{$link.url}">{$link.title}</a>
                         </div>
                         {if="$link.thumbnail"}
                             <div class="dailyEntryThumbnail">{$link.thumbnail}</div>
diff --git a/tpl/dailyrss.html b/tpl/dailyrss.html
index a9b11e18..1b7ab8e9 100644
--- a/tpl/dailyrss.html
+++ b/tpl/dailyrss.html
@@ -1,7 +1,7 @@
 {loop="links"}
-	<h3><a href="{$value.url}">{$value.title|htmlspecialchars}</a></h3>
-	<small>{if="!$GLOBALS['config']['HIDE_TIMESTAMPS']"}{function="strftime('%c', $value.timestamp)"} - {/if}{if="$value.tags"}{$value.tags|htmlspecialchars}{/if}<br>
-	{$value.url|htmlspecialchars}</small><br>
+	<h3><a href="{$value.url}">{$value.title}</a></h3>
+	<small>{if="!$GLOBALS['config']['HIDE_TIMESTAMPS']"}{function="strftime('%c', $value.timestamp)"} - {/if}{if="$value.tags"}{$value.tags}{/if}<br>
+	{$value.url}</small><br>
 	{if="$value.thumbnail"}{$value.thumbnail}{/if}<br>
 	{if="$value.description"}{$value.formatedDescription}{/if}
 	<br><br><hr>
diff --git a/tpl/editlink.html b/tpl/editlink.html
index 0276f088..6737c412 100644
--- a/tpl/editlink.html
+++ b/tpl/editlink.html
@@ -15,11 +15,11 @@
 	<div id="editlinkform">
 	    <form method="post" name="linkform">
 	        <input type="hidden" name="lf_linkdate" value="{$link.linkdate}">
-	        <label for="lf_url"><i>URL</i></label><br><input type="text" name="lf_url" id="lf_url" value="{$link.url|htmlspecialchars}" class="lf_input"><br>
-            <label for="lf_title"><i>Title</i></label><br><input type="text" name="lf_title" id="lf_title" value="{$link.title|htmlspecialchars}" class="lf_input"><br>
-            <label for="lf_description"><i>Description</i></label><br><textarea name="lf_description" id="lf_description" rows="4" cols="25">{$link.description|htmlspecialchars}</textarea><br>
+	        <label for="lf_url"><i>URL</i></label><br><input type="text" name="lf_url" id="lf_url" value="{$link.url}" class="lf_input"><br>
+            <label for="lf_title"><i>Title</i></label><br><input type="text" name="lf_title" id="lf_title" value="{$link.title}" class="lf_input"><br>
+            <label for="lf_description"><i>Description</i></label><br><textarea name="lf_description" id="lf_description" rows="4" cols="25">{$link.description}</textarea><br>
             <label for="lf_tags"><i>Tags</i></label><br>
-            <input type="text" id="lf_tags" name="lf_tags" id="lf_tags" value="{$link.tags|htmlspecialchars}" class="lf_input"
+            <input type="text" id="lf_tags" name="lf_tags" id="lf_tags" value="{$link.tags}" class="lf_input"
                 data-list="{loop="$tags"}{$key}, {/loop}" data-multiple autocomplete="off" ><br>
 	        {if="($link_is_new && $GLOBALS['privateLinkByDefault']==true) || $link.private == true"}
             <input type="checkbox" checked="checked" name="lf_private" id="lf_private">
@@ -32,7 +32,7 @@
 	        <input type="submit" value="Cancel" name="cancel_edit" class="bigbutton">
 	        {if="!$link_is_new"}<input type="submit" value="Delete" name="delete_link" class="bigbutton delete" onClick="return confirmDeleteLink();">{/if}
 	        <input type="hidden" name="token" value="{$token}">
-	        {if="$http_referer"}<input type="hidden" name="returnurl" value="{$http_referer|htmlspecialchars}">{/if}
+	        {if="$http_referer"}<input type="hidden" name="returnurl" value="{$http_referer}">{/if}
 	    </form>
 	</div>
 </div>
diff --git a/tpl/import.html b/tpl/import.html
index 9ac3c2f9..6c4f9421 100644
--- a/tpl/import.html
+++ b/tpl/import.html
@@ -5,11 +5,11 @@
 <div id="pageheader">
 	{include="page.header"}
 	<div id="uploaddiv">
-	Import Netscape HTML bookmarks (as exported from Firefox/Chrome/Opera/Delicious/Diigo...) (Max: {$maxfilesize|htmlspecialchars} bytes).
+	Import Netscape HTML bookmarks (as exported from Firefox/Chrome/Opera/Delicious/Diigo...) (Max: {$maxfilesize} bytes).
 	<form method="POST" action="?do=upload" enctype="multipart/form-data" name="uploadform" id="uploadform">
 	    <input type="hidden" name="token" value="{$token}">
 	    <input type="file" name="filetoupload">
-	    <input type="hidden" name="MAX_FILE_SIZE" value="{$maxfilesize|htmlspecialchars}">
+	    <input type="hidden" name="MAX_FILE_SIZE" value="{$maxfilesize}">
 	    <input type="submit" name="import_file" value="Import" class="bigbutton"><br>
 	    <input type="checkbox" name="private" id="private"><label for="private">&nbsp;Import all links as private</label><br>
 	    <input type="checkbox" name="overwrite" id="overwrite"><label for="overwrite">&nbsp;Overwrite existing links</label>
diff --git a/tpl/linklist.html b/tpl/linklist.html
index a59a9e51..daf87060 100644
--- a/tpl/linklist.html
+++ b/tpl/linklist.html
@@ -33,7 +33,7 @@
         {if="$search_type=='tags'"}
             <div id="searchcriteria">{$result_count} results for tags <i>
             {loop="search_crits"}
-                <span class="linktag" title="Remove tag"><a href="?removetag={$value|htmlspecialchars}">{$value|htmlspecialchars} <span class="remove">x</span></a></span>
+                <span class="linktag" title="Remove tag"><a href="?removetag={$value}">{$value} <span class="remove">x</span></a></span>
             {/loop}</i></div>
         {/if}
     {/if}
@@ -50,7 +50,7 @@
                         <input type="hidden" name="token" value="{$token}"><input type="hidden" name="delete_link"><input type="image" alt="Delete" src="images/delete_icon.png#" title="Delete" class="button_delete" onClick="return confirmDeleteLink();"></form>
                     </div>
                 {/if}
-                <span class="linktitle"><a href="{$redirector}{$value.url|htmlspecialchars}">{$value.title|htmlspecialchars}</a></span>
+                <span class="linktitle"><a href="{$redirector}{$value.url}">{$value.title}</a></span>
                 <br>
                 {if="$value.description"}<div class="linkdescription">{$value.description}</div>{/if}
                 {if="!$GLOBALS['config']['HIDE_TIMESTAMPS'] || isLoggedIn()"}
@@ -59,15 +59,15 @@
                     <span class="linkdate" title="Short link here"><a href="?{$value.linkdate|smallHash}">permalink</a> - </span>
                 {/if}
                 {if="$GLOBALS['config']['ARCHIVE_ORG']"}
-                <span class="linkarchive"><a href="https://web.archive.org/web/{$value.url|htmlspecialchars}">archive</a> - </span>
+                <span class="linkarchive"><a href="https://web.archive.org/web/{$value.url}">archive</a> - </span>
                 {/if}
                 <div class="linkqrcode"><a href="http://qrfree.kaywa.com/?l=1&amp;s=8&amp;d={$scripturl|urlencode}%3F{$value.linkdate|smallHash}"
                     onclick="return showQrCode(this);" class="qrcode" data-permalink="{$scripturl}?{$value.linkdate|smallHash}">
 		    <img src="images/qrcode.png#" alt="QR-Code" title="{function="strftime('%c', $value.timestamp)"}"></a></div> -
-                <a href="{$value.url|htmlspecialchars}"><span class="linkurl" title="Short link">{$value.url|htmlspecialchars}</span></a><br>
+                <a href="{$value.url}"><span class="linkurl" title="Short link">{$value.url}</span></a><br>
                 {if="$value.tags"}
                     <div class="linktaglist">
-                    {loop="value.taglist"}<span class="linktag" title="Add tag"><a href="?addtag={$value|urlencode}">{$value|htmlspecialchars}</a></span> {/loop}
+                    {loop="value.taglist"}<span class="linktag" title="Add tag"><a href="?addtag={$value|urlencode}">{$value}</a></span> {/loop}
                     </div>
                 {/if}
             </div>
diff --git a/tpl/loginform.html b/tpl/loginform.html
index 91b948dd..678375fd 100644
--- a/tpl/loginform.html
+++ b/tpl/loginform.html
@@ -17,7 +17,7 @@
     <input type="checkbox" name="longlastingsession" id="longlastingsession" tabindex="3">
     Stay signed in (Do not check on public computers)</label>
     <input type="hidden" name="token" value="{$token}">
-    {if="$returnurl"}<input type="hidden" name="returnurl" value="{$returnurl|htmlspecialchars}">{/if}
+    {if="$returnurl"}<input type="hidden" name="returnurl" value="{$returnurl}">{/if}
     </form>
 {/if}
     </div>
diff --git a/tpl/page.footer.html b/tpl/page.footer.html
index 42c621b9..8143669d 100644
--- a/tpl/page.footer.html
+++ b/tpl/page.footer.html
@@ -2,7 +2,7 @@
     <b><a href="https://github.com/shaarli/Shaarli">Shaarli</a></b> - The personal, minimalist, super-fast, no-database delicious clone by the <a href="https://github.com/shaarli/Shaarli">Shaarli</a> community - <a href="doc/Home.html">Help/documentation</a>
 </div>
 {if="$newversion"}
-    <div id="newversion"><span id="version_id">&#x25CF;</span> Shaarli {$newversion|htmlspecialchars} is <a href="https://github.com/shaarli/Shaarli/releases">available</a>.</div>
+    <div id="newversion"><span id="version_id">&#x25CF;</span> Shaarli {$newversion} is <a href="https://github.com/shaarli/Shaarli/releases">available</a>.</div>
 {/if}
 {if="isLoggedIn()"}
 <script>function confirmDeleteLink() { var agree=confirm("Are you sure you want to delete this link ?"); if (agree) return true ; else return false ; }</script>
diff --git a/tpl/page.header.html b/tpl/page.header.html
index 0fd65e40..2d186aa2 100644
--- a/tpl/page.header.html
+++ b/tpl/page.header.html
@@ -8,7 +8,7 @@
 <div id="menu">
   <ul>
       <li><span id="shaarli_title">
-        <a href="{$titleLink}">{$shaarlititle|htmlspecialchars}</a>
+        <a href="{$titleLink}">{$shaarlititle}</a>
     </span>
     </li>
   
diff --git a/tpl/picwall.html b/tpl/picwall.html
index e686afe1..9a2a4715 100644
--- a/tpl/picwall.html
+++ b/tpl/picwall.html
@@ -9,7 +9,7 @@
         <div id="picwall_container">
             {loop="linksToDisplay"}
             <div class="picwall_pictureframe">
-        	    {$value.thumbnail}<a href="{$value.url}"><span class="info">{$value.title|htmlspecialchars}</span></a>
+        	    {$value.thumbnail}<a href="{$value.url}"><span class="info">{$value.title}</span></a>
             </div>
             {/loop}
         </div>
diff --git a/tpl/tagcloud.html b/tpl/tagcloud.html
index 97205e2b..092f2294 100644
--- a/tpl/tagcloud.html
+++ b/tpl/tagcloud.html
@@ -6,7 +6,7 @@
 <div class="center">
     <div id="cloudtag">
         {loop="tags"}
-        <span class="count">{$value.count}</span><a href="?searchtags={$key|urlencode}" style="font-size:{$value.size}pt;">{$key|htmlspecialchars}</a>
+        <span class="count">{$value.count}</span><a href="?searchtags={$key|urlencode}" style="font-size:{$value.size}pt;">{$key}</a>
         {/loop}
     </div>
 </div>
-- 
cgit v1.2.3