aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorNicolas Lœuillet <nicolas@loeuillet.org>2017-01-17 10:09:04 +0100
committerNicolas Lœuillet <nicolas@loeuillet.org>2017-01-17 10:09:04 +0100
commit3d9950792c0aef20643ce1c5f81670e1f7194af9 (patch)
tree0eb9a92112c2e5913015abf01ff4e0b9e14c6d85
parent96e2827605ab459bfc61ff96438eab8285d2a0c7 (diff)
downloadwallabag-3d9950792c0aef20643ce1c5f81670e1f7194af9.tar.gz
wallabag-3d9950792c0aef20643ce1c5f81670e1f7194af9.tar.zst
wallabag-3d9950792c0aef20643ce1c5f81670e1f7194af9.zip
Fixed possible JS injection via the title edition
Diffstat
-rw-r--r--src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig4
-rw-r--r--src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig6
-rw-r--r--src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig2
-rw-r--r--src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig10
-rw-r--r--src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_full_image.html.twig4
-rw-r--r--src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_no_preview.html.twig4
-rw-r--r--src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_preview.html.twig8
-rw-r--r--src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/entry.html.twig4
-rw-r--r--var/SymfonyRequirements.php6
9 files changed, 26 insertions, 22 deletions
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig
index 56a0faac..4679714e 100644
--- a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig
@@ -23,7 +23,7 @@
23 23
24 {% for entry in entries %} 24 {% for entry in entries %}
25 <div id="entry-{{ entry.id|e }}" class="entry"> 25 <div id="entry-{{ entry.id|e }}" class="entry">
26 <h2><a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title|raw }}">{{ entry.title|raw }}</a></h2> 26 <h2><a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title|e|raw }}">{{ entry.title|e|raw }}</a></h2>
27 27
28 {% set readingTime = entry.readingTime / app.user.config.readingSpeed %} 28 {% set readingTime = entry.readingTime / app.user.config.readingSpeed %}
29 <div class="estimatedTime"> 29 <div class="estimatedTime">
@@ -60,7 +60,7 @@
60 <li><a href="{{ path('tag_entries', {'slug': tag.slug}) }}">{{ tag.label }}</a></li> 60 <li><a href="{{ path('tag_entries', {'slug': tag.slug}) }}">{{ tag.label }}</a></li>
61 {% endfor %} 61 {% endfor %}
62 </ul> 62 </ul>
63 <img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|raw }}" /> 63 <img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|e|raw }}" />
64 {% endif %} 64 {% endif %}
65 </div> 65 </div>
66 {% endfor %} 66 {% endfor %}
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig
index 3689159b..8ca194f6 100644
--- a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig
@@ -1,11 +1,11 @@
1{% extends "WallabagCoreBundle::layout.html.twig" %} 1{% extends "WallabagCoreBundle::layout.html.twig" %}
2 2
3{% block title %}{{ entry.title|raw }} ({{ entry.domainName|removeWww }}){% endblock %} 3{% block title %}{{ entry.title|e|raw }} ({{ entry.domainName|removeWww }}){% endblock %}
4 4
5{% block content %} 5{% block content %}
6 <div id="article"> 6 <div id="article">
7 <header class="mbm"> 7 <header class="mbm">
8 <h1>{{ entry.title|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" class="nostyle" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1> 8 <h1>{{ entry.title|e|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" class="nostyle" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1>
9 </header> 9 </header>
10 10
11 <div id="article_toolbar"> 11 <div id="article_toolbar">
@@ -67,7 +67,7 @@
67 </aside> 67 </aside>
68 </div> 68 </div>
69 {% if entry.previewPicture is not null %} 69 {% if entry.previewPicture is not null %}
70 <div><img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|raw }}" /></div> 70 <div><img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|e|raw }}" /></div>
71 {% endif %} 71 {% endif %}
72 <article> 72 <article>
73 {{ entry.content | raw }} 73 {{ entry.content | raw }}
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig b/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig
index 288bb54f..7103f22b 100644
--- a/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig
@@ -10,7 +10,7 @@
10 {% for entry in entries %} 10 {% for entry in entries %}
11 11
12 <item> 12 <item>
13 <title><![CDATA[{{ entry.title }}]]></title> 13 <title><![CDATA[{{ entry.title|e }}]]></title>
14 <source url="{{ url('view', { 'id': entry.id }) }}">wallabag</source> 14 <source url="{{ url('view', { 'id': entry.id }) }}">wallabag</source>
15 <link>{{ entry.url }}</link> 15 <link>{{ entry.url }}</link>
16 <guid>{{ entry.url }}</guid> 16 <guid>{{ entry.url }}</guid>
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig
index f77264c6..623cf1c4 100644
--- a/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig
@@ -1,6 +1,6 @@
1<html> 1<html>
2 <head> 2 <head>
3 <title>{{ entry.title | raw }}</title> 3 <title>{{ entry.title|e|raw }}</title>
4 <style> 4 <style>
5 body { 5 body {
6 margin: 10px; 6 margin: 10px;
@@ -27,7 +27,7 @@
27 width: 600px; 27 width: 600px;
28 } 28 }
29 </style> 29 </style>
30 <meta property="og:title" content="{{ entry.title | raw }}" /> 30 <meta property="og:title" content="{{ entry.title|e|raw }}" />
31 <meta property="og:type" content="article" /> 31 <meta property="og:type" content="article" />
32 <meta property="og:url" content="{{ app.request.uri }}" /> 32 <meta property="og:url" content="{{ app.request.uri }}" />
33 {% set picturePath = app.request.schemeAndHttpHost ~ asset('bundles/wallabagcore/themes/_global/img/logo-other_themes.png') %} 33 {% set picturePath = app.request.schemeAndHttpHost ~ asset('bundles/wallabagcore/themes/_global/img/logo-other_themes.png') %}
@@ -38,13 +38,13 @@
38 <meta name="twitter:card" content="summary" /> 38 <meta name="twitter:card" content="summary" />
39 <meta name="twitter:image" content="{{ picturePath }}" /> 39 <meta name="twitter:image" content="{{ picturePath }}" />
40 <meta name="twitter:site" content="@wallabagapp" /> 40 <meta name="twitter:site" content="@wallabagapp" />
41 <meta name="twitter:title" content="{{ entry.title | raw }}" /> 41 <meta name="twitter:title" content="{{ entry.title|e|raw }}" />
42 <meta name="twitter:description" content="{{ entry.content|striptags|slice(0, 300)|raw }}&hellip;" /> 42 <meta name="twitter:description" content="{{ entry.content|striptags|slice(0, 300)|raw }}&hellip;" />
43 </head> 43 </head>
44 <body> 44 <body>
45 <header> 45 <header>
46 <h1>{{ entry.title | raw }}</h1> 46 <h1>{{ entry.title|e|raw }}</h1>
47 <div><a href="{{ entry.url|e }}" target="_blank" title="{{ 'entry.view.original_article'|trans }} : {{ entry.title|e }}" class="tool">{{ entry.domainName|removeWww }}</a></div> 47 <div><a href="{{ entry.url|e }}" target="_blank" title="{{ 'entry.view.original_article'|trans }} : {{ entry.title|e|raw }}" class="tool">{{ entry.domainName|removeWww }}</a></div>
48 <div>{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage')})|raw }}</div> 48 <div>{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage')})|raw }}</div>
49 </header> 49 </header>
50 <article> 50 <article>
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_full_image.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_full_image.html.twig
index 0fdd5996..91a1bac0 100644
--- a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_full_image.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_full_image.html.twig
@@ -11,8 +11,8 @@
11 11
12 <div class="card-content"> 12 <div class="card-content">
13 <span class="card-title dot-ellipsis dot-resize-update"> 13 <span class="card-title dot-ellipsis dot-resize-update">
14 <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}"> 14 <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title| e | raw | striptags }}">
15 {{ entry.title | raw | striptags | truncate(80, true, '…') }} 15 {{ entry.title | e | raw | striptags | truncate(80, true, '…') }}
16 </a> 16 </a>
17 </span> 17 </span>
18 18
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_no_preview.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_no_preview.html.twig
index 19a400b4..ed916e79 100644
--- a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_no_preview.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_no_preview.html.twig
@@ -2,8 +2,8 @@
2 <div class="card-body"> 2 <div class="card-body">
3 <div class="card-content"> 3 <div class="card-content">
4 <span class="card-title dot-ellipsis dot-resize-update"> 4 <span class="card-title dot-ellipsis dot-resize-update">
5 <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}"> 5 <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}">
6 {{ entry.title | raw | striptags | truncate(80, true, '…') }} 6 {{ entry.title | e | raw | striptags | truncate(80, true, '…') }}
7 </a> 7 </a>
8 </span> 8 </span>
9 9
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_preview.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_preview.html.twig
index b0e3c06d..d23be4d0 100644
--- a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_preview.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_preview.html.twig
@@ -13,8 +13,8 @@
13 <i class="grey-text text-darken-4 activator material-icons right">more_vert</i> 13 <i class="grey-text text-darken-4 activator material-icons right">more_vert</i>
14 14
15 <span class="card-title dot-ellipsis dot-resize-update"> 15 <span class="card-title dot-ellipsis dot-resize-update">
16 <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}"> 16 <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}">
17 {{ entry.title| striptags | truncate(80, true, '…') | raw }} 17 {{ entry.title | e | striptags | truncate(80, true, '…') | raw }}
18 </a> 18 </a>
19 </span> 19 </span>
20 20
@@ -29,8 +29,8 @@
29 <div class="card-reveal"> 29 <div class="card-reveal">
30 <i class="card-title activator grey-text text-darken-4 material-icons right">clear</i> 30 <i class="card-title activator grey-text text-darken-4 material-icons right">clear</i>
31 <span class="card-title"> 31 <span class="card-title">
32 <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}"> 32 <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}">
33 {{ entry.title | raw | striptags | truncate(80, true, '…') }} 33 {{ entry.title | e | raw | striptags | truncate(80, true, '…') }}
34 </a> 34 </a>
35 </span> 35 </span>
36 36
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/entry.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/entry.html.twig
index c615a907..b445f7d5 100644
--- a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/entry.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/entry.html.twig
@@ -1,6 +1,6 @@
1{% extends "WallabagCoreBundle::layout.html.twig" %} 1{% extends "WallabagCoreBundle::layout.html.twig" %}
2 2
3{% block title %}{{ entry.title|raw }} ({{ entry.domainName|removeWww }}){% endblock %} 3{% block title %}{{ entry.title|e|raw }} ({{ entry.domainName|removeWww }}){% endblock %}
4 4
5{% block body_class %}entry{% endblock %} 5{% block body_class %}entry{% endblock %}
6 6
@@ -209,7 +209,7 @@
209{% block content %} 209{% block content %}
210 <div id="article"> 210 <div id="article">
211 <header class="mbm"> 211 <header class="mbm">
212 <h1>{{ entry.title|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1> 212 <h1>{{ entry.title|e|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1>
213 </header> 213 </header>
214 <aside> 214 <aside>
215 <ul class="tools"> 215 <ul class="tools">
diff --git a/var/SymfonyRequirements.php b/var/SymfonyRequirements.php
index 7e7723af..7e7a99de 100644
--- a/var/SymfonyRequirements.php
+++ b/var/SymfonyRequirements.php
@@ -780,7 +780,11 @@ class SymfonyRequirements extends RequirementCollection
780 { 780 {
781 $size = ini_get('realpath_cache_size'); 781 $size = ini_get('realpath_cache_size');
782 $size = trim($size); 782 $size = trim($size);
783 $unit = strtolower(substr($size, -1, 1)); 783 $unit = '';
784 if (!ctype_digit($size)) {
785 $unit = strtolower(substr($size, -1, 1));
786 $size = (int) substr($size, 0, -1);
787 }
784 switch ($unit) { 788 switch ($unit) {
785 case 'g': 789 case 'g':
786 return $size * 1024 * 1024 * 1024; 790 return $size * 1024 * 1024 * 1024;
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-12 14:47:49 +0000