diff options
author | Nicolas Lœuillet <nicolas@loeuillet.org> | 2017-01-17 10:09:04 +0100 |
---|---|---|
committer | Nicolas Lœuillet <nicolas@loeuillet.org> | 2017-01-17 10:09:04 +0100 |
commit | 3d9950792c0aef20643ce1c5f81670e1f7194af9 (patch) | |
tree | 0eb9a92112c2e5913015abf01ff4e0b9e14c6d85 | |
parent | 96e2827605ab459bfc61ff96438eab8285d2a0c7 (diff) | |
download | wallabag-3d9950792c0aef20643ce1c5f81670e1f7194af9.tar.gz wallabag-3d9950792c0aef20643ce1c5f81670e1f7194af9.tar.zst wallabag-3d9950792c0aef20643ce1c5f81670e1f7194af9.zip |
Fixed possible JS injection via the title edition
9 files changed, 26 insertions, 22 deletions
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig index 56a0faac..4679714e 100644 --- a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig +++ b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig | |||
@@ -23,7 +23,7 @@ | |||
23 | 23 | ||
24 | {% for entry in entries %} | 24 | {% for entry in entries %} |
25 | <div id="entry-{{ entry.id|e }}" class="entry"> | 25 | <div id="entry-{{ entry.id|e }}" class="entry"> |
26 | <h2><a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title|raw }}">{{ entry.title|raw }}</a></h2> | 26 | <h2><a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title|e|raw }}">{{ entry.title|e|raw }}</a></h2> |
27 | 27 | ||
28 | {% set readingTime = entry.readingTime / app.user.config.readingSpeed %} | 28 | {% set readingTime = entry.readingTime / app.user.config.readingSpeed %} |
29 | <div class="estimatedTime"> | 29 | <div class="estimatedTime"> |
@@ -60,7 +60,7 @@ | |||
60 | <li><a href="{{ path('tag_entries', {'slug': tag.slug}) }}">{{ tag.label }}</a></li> | 60 | <li><a href="{{ path('tag_entries', {'slug': tag.slug}) }}">{{ tag.label }}</a></li> |
61 | {% endfor %} | 61 | {% endfor %} |
62 | </ul> | 62 | </ul> |
63 | <img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|raw }}" /> | 63 | <img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|e|raw }}" /> |
64 | {% endif %} | 64 | {% endif %} |
65 | </div> | 65 | </div> |
66 | {% endfor %} | 66 | {% endfor %} |
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig index 3689159b..8ca194f6 100644 --- a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig +++ b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig | |||
@@ -1,11 +1,11 @@ | |||
1 | {% extends "WallabagCoreBundle::layout.html.twig" %} | 1 | {% extends "WallabagCoreBundle::layout.html.twig" %} |
2 | 2 | ||
3 | {% block title %}{{ entry.title|raw }} ({{ entry.domainName|removeWww }}){% endblock %} | 3 | {% block title %}{{ entry.title|e|raw }} ({{ entry.domainName|removeWww }}){% endblock %} |
4 | 4 | ||
5 | {% block content %} | 5 | {% block content %} |
6 | <div id="article"> | 6 | <div id="article"> |
7 | <header class="mbm"> | 7 | <header class="mbm"> |
8 | <h1>{{ entry.title|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" class="nostyle" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1> | 8 | <h1>{{ entry.title|e|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" class="nostyle" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1> |
9 | </header> | 9 | </header> |
10 | 10 | ||
11 | <div id="article_toolbar"> | 11 | <div id="article_toolbar"> |
@@ -67,7 +67,7 @@ | |||
67 | </aside> | 67 | </aside> |
68 | </div> | 68 | </div> |
69 | {% if entry.previewPicture is not null %} | 69 | {% if entry.previewPicture is not null %} |
70 | <div><img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|raw }}" /></div> | 70 | <div><img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|e|raw }}" /></div> |
71 | {% endif %} | 71 | {% endif %} |
72 | <article> | 72 | <article> |
73 | {{ entry.content | raw }} | 73 | {{ entry.content | raw }} |
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig b/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig index 288bb54f..7103f22b 100644 --- a/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig +++ b/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig | |||
@@ -10,7 +10,7 @@ | |||
10 | {% for entry in entries %} | 10 | {% for entry in entries %} |
11 | 11 | ||
12 | <item> | 12 | <item> |
13 | <title><![CDATA[{{ entry.title }}]]></title> | 13 | <title><![CDATA[{{ entry.title|e }}]]></title> |
14 | <source url="{{ url('view', { 'id': entry.id }) }}">wallabag</source> | 14 | <source url="{{ url('view', { 'id': entry.id }) }}">wallabag</source> |
15 | <link>{{ entry.url }}</link> | 15 | <link>{{ entry.url }}</link> |
16 | <guid>{{ entry.url }}</guid> | 16 | <guid>{{ entry.url }}</guid> |
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig index f77264c6..623cf1c4 100644 --- a/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig +++ b/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig | |||
@@ -1,6 +1,6 @@ | |||
1 | <html> | 1 | <html> |
2 | <head> | 2 | <head> |
3 | <title>{{ entry.title | raw }}</title> | 3 | <title>{{ entry.title|e|raw }}</title> |
4 | <style> | 4 | <style> |
5 | body { | 5 | body { |
6 | margin: 10px; | 6 | margin: 10px; |
@@ -27,7 +27,7 @@ | |||
27 | width: 600px; | 27 | width: 600px; |
28 | } | 28 | } |
29 | </style> | 29 | </style> |
30 | <meta property="og:title" content="{{ entry.title | raw }}" /> | 30 | <meta property="og:title" content="{{ entry.title|e|raw }}" /> |
31 | <meta property="og:type" content="article" /> | 31 | <meta property="og:type" content="article" /> |
32 | <meta property="og:url" content="{{ app.request.uri }}" /> | 32 | <meta property="og:url" content="{{ app.request.uri }}" /> |
33 | {% set picturePath = app.request.schemeAndHttpHost ~ asset('bundles/wallabagcore/themes/_global/img/logo-other_themes.png') %} | 33 | {% set picturePath = app.request.schemeAndHttpHost ~ asset('bundles/wallabagcore/themes/_global/img/logo-other_themes.png') %} |
@@ -38,13 +38,13 @@ | |||
38 | <meta name="twitter:card" content="summary" /> | 38 | <meta name="twitter:card" content="summary" /> |
39 | <meta name="twitter:image" content="{{ picturePath }}" /> | 39 | <meta name="twitter:image" content="{{ picturePath }}" /> |
40 | <meta name="twitter:site" content="@wallabagapp" /> | 40 | <meta name="twitter:site" content="@wallabagapp" /> |
41 | <meta name="twitter:title" content="{{ entry.title | raw }}" /> | 41 | <meta name="twitter:title" content="{{ entry.title|e|raw }}" /> |
42 | <meta name="twitter:description" content="{{ entry.content|striptags|slice(0, 300)|raw }}…" /> | 42 | <meta name="twitter:description" content="{{ entry.content|striptags|slice(0, 300)|raw }}…" /> |
43 | </head> | 43 | </head> |
44 | <body> | 44 | <body> |
45 | <header> | 45 | <header> |
46 | <h1>{{ entry.title | raw }}</h1> | 46 | <h1>{{ entry.title|e|raw }}</h1> |
47 | <div><a href="{{ entry.url|e }}" target="_blank" title="{{ 'entry.view.original_article'|trans }} : {{ entry.title|e }}" class="tool">{{ entry.domainName|removeWww }}</a></div> | 47 | <div><a href="{{ entry.url|e }}" target="_blank" title="{{ 'entry.view.original_article'|trans }} : {{ entry.title|e|raw }}" class="tool">{{ entry.domainName|removeWww }}</a></div> |
48 | <div>{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage')})|raw }}</div> | 48 | <div>{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage')})|raw }}</div> |
49 | </header> | 49 | </header> |
50 | <article> | 50 | <article> |
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_full_image.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_full_image.html.twig index 0fdd5996..91a1bac0 100644 --- a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_full_image.html.twig +++ b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_full_image.html.twig | |||
@@ -11,8 +11,8 @@ | |||
11 | 11 | ||
12 | <div class="card-content"> | 12 | <div class="card-content"> |
13 | <span class="card-title dot-ellipsis dot-resize-update"> | 13 | <span class="card-title dot-ellipsis dot-resize-update"> |
14 | <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}"> | 14 | <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title| e | raw | striptags }}"> |
15 | {{ entry.title | raw | striptags | truncate(80, true, '…') }} | 15 | {{ entry.title | e | raw | striptags | truncate(80, true, '…') }} |
16 | </a> | 16 | </a> |
17 | </span> | 17 | </span> |
18 | 18 | ||
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_no_preview.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_no_preview.html.twig index 19a400b4..ed916e79 100644 --- a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_no_preview.html.twig +++ b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_no_preview.html.twig | |||
@@ -2,8 +2,8 @@ | |||
2 | <div class="card-body"> | 2 | <div class="card-body"> |
3 | <div class="card-content"> | 3 | <div class="card-content"> |
4 | <span class="card-title dot-ellipsis dot-resize-update"> | 4 | <span class="card-title dot-ellipsis dot-resize-update"> |
5 | <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}"> | 5 | <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}"> |
6 | {{ entry.title | raw | striptags | truncate(80, true, '…') }} | 6 | {{ entry.title | e | raw | striptags | truncate(80, true, '…') }} |
7 | </a> | 7 | </a> |
8 | </span> | 8 | </span> |
9 | 9 | ||
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_preview.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_preview.html.twig index b0e3c06d..d23be4d0 100644 --- a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_preview.html.twig +++ b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_preview.html.twig | |||
@@ -13,8 +13,8 @@ | |||
13 | <i class="grey-text text-darken-4 activator material-icons right">more_vert</i> | 13 | <i class="grey-text text-darken-4 activator material-icons right">more_vert</i> |
14 | 14 | ||
15 | <span class="card-title dot-ellipsis dot-resize-update"> | 15 | <span class="card-title dot-ellipsis dot-resize-update"> |
16 | <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}"> | 16 | <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}"> |
17 | {{ entry.title| striptags | truncate(80, true, '…') | raw }} | 17 | {{ entry.title | e | striptags | truncate(80, true, '…') | raw }} |
18 | </a> | 18 | </a> |
19 | </span> | 19 | </span> |
20 | 20 | ||
@@ -29,8 +29,8 @@ | |||
29 | <div class="card-reveal"> | 29 | <div class="card-reveal"> |
30 | <i class="card-title activator grey-text text-darken-4 material-icons right">clear</i> | 30 | <i class="card-title activator grey-text text-darken-4 material-icons right">clear</i> |
31 | <span class="card-title"> | 31 | <span class="card-title"> |
32 | <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}"> | 32 | <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}"> |
33 | {{ entry.title | raw | striptags | truncate(80, true, '…') }} | 33 | {{ entry.title | e | raw | striptags | truncate(80, true, '…') }} |
34 | </a> | 34 | </a> |
35 | </span> | 35 | </span> |
36 | 36 | ||
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/entry.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/entry.html.twig index c615a907..b445f7d5 100644 --- a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/entry.html.twig +++ b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/entry.html.twig | |||
@@ -1,6 +1,6 @@ | |||
1 | {% extends "WallabagCoreBundle::layout.html.twig" %} | 1 | {% extends "WallabagCoreBundle::layout.html.twig" %} |
2 | 2 | ||
3 | {% block title %}{{ entry.title|raw }} ({{ entry.domainName|removeWww }}){% endblock %} | 3 | {% block title %}{{ entry.title|e|raw }} ({{ entry.domainName|removeWww }}){% endblock %} |
4 | 4 | ||
5 | {% block body_class %}entry{% endblock %} | 5 | {% block body_class %}entry{% endblock %} |
6 | 6 | ||
@@ -209,7 +209,7 @@ | |||
209 | {% block content %} | 209 | {% block content %} |
210 | <div id="article"> | 210 | <div id="article"> |
211 | <header class="mbm"> | 211 | <header class="mbm"> |
212 | <h1>{{ entry.title|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1> | 212 | <h1>{{ entry.title|e|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1> |
213 | </header> | 213 | </header> |
214 | <aside> | 214 | <aside> |
215 | <ul class="tools"> | 215 | <ul class="tools"> |
diff --git a/var/SymfonyRequirements.php b/var/SymfonyRequirements.php index 7e7723af..7e7a99de 100644 --- a/var/SymfonyRequirements.php +++ b/var/SymfonyRequirements.php | |||
@@ -780,7 +780,11 @@ class SymfonyRequirements extends RequirementCollection | |||
780 | { | 780 | { |
781 | $size = ini_get('realpath_cache_size'); | 781 | $size = ini_get('realpath_cache_size'); |
782 | $size = trim($size); | 782 | $size = trim($size); |
783 | $unit = strtolower(substr($size, -1, 1)); | 783 | $unit = ''; |
784 | if (!ctype_digit($size)) { | ||
785 | $unit = strtolower(substr($size, -1, 1)); | ||
786 | $size = (int) substr($size, 0, -1); | ||
787 | } | ||
784 | switch ($unit) { | 788 | switch ($unit) { |
785 | case 'g': | 789 | case 'g': |
786 | return $size * 1024 * 1024 * 1024; | 790 | return $size * 1024 * 1024 * 1024; |