Fixed possible JS injection via the title edition

author: Nicolas Lœuillet <nicolas@loeuillet.org> 2017-01-17 10:09:04 +0100
committer: Nicolas Lœuillet <nicolas@loeuillet.org> 2017-01-17 10:09:04 +0100
commit: 3d9950792c0aef20643ce1c5f81670e1f7194af9 (patch)
tree: 0eb9a92112c2e5913015abf01ff4e0b9e14c6d85 /src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig
parent: 96e2827605ab459bfc61ff96438eab8285d2a0c7 (diff)
download: wallabag-3d9950792c0aef20643ce1c5f81670e1f7194af9.tar.gz
wallabag-3d9950792c0aef20643ce1c5f81670e1f7194af9.tar.zst
wallabag-3d9950792c0aef20643ce1c5f81670e1f7194af9.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig
index 56a0faac..4679714e 100644
--- a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig
@@ -23,7 +23,7 @@
    {% for entry in entries %}
        <div id="entry-{{ entry.id|e }}" class="entry">
-            <h2><a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title|raw }}">{{ entry.title|raw }}</a></h2>
+            <h2><a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title|e|raw }}">{{ entry.title|e|raw }}</a></h2>
            {% set readingTime = entry.readingTime / app.user.config.readingSpeed %}
            <div class="estimatedTime">
@@ -60,7 +60,7 @@
                    <li><a href="{{ path('tag_entries', {'slug': tag.slug}) }}">{{ tag.label }}</a></li>
                {% endfor %}
                </ul>
-                <img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|raw }}" />
+                <img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|e|raw }}" />
            {% endif %}
        </div>
    {% endfor %}
author	Nicolas Lœuillet <nicolas@loeuillet.org>	2017-01-17 10:09:04 +0100
committer	Nicolas Lœuillet <nicolas@loeuillet.org>	2017-01-17 10:09:04 +0100
commit	3d9950792c0aef20643ce1c5f81670e1f7194af9 (patch)
tree	0eb9a92112c2e5913015abf01ff4e0b9e14c6d85 /src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig
parent	96e2827605ab459bfc61ff96438eab8285d2a0c7 (diff)
download	wallabag-3d9950792c0aef20643ce1c5f81670e1f7194af9.tar.gz wallabag-3d9950792c0aef20643ce1c5f81670e1f7194af9.tar.zst wallabag-3d9950792c0aef20643ce1c5f81670e1f7194af9.zip

diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig index 56a0faac..4679714e 100644 --- a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig +++ b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig
@@ -23,7 +23,7 @@
23		23
24	{% for entry in entries %}	24	{% for entry in entries %}
25	<div id="entry-{{ entry.id\|e }}" class="entry">	25	<div id="entry-{{ entry.id\|e }}" class="entry">
26	<h2><a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title\|raw }}">{{ entry.title\|raw }}</a></h2>	26	<h2><a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title\|e\|raw }}">{{ entry.title\|e\|raw }}</a></h2>
27		27
28	{% set readingTime = entry.readingTime / app.user.config.readingSpeed %}	28	{% set readingTime = entry.readingTime / app.user.config.readingSpeed %}
29	<div class="estimatedTime">	29	<div class="estimatedTime">
@@ -60,7 +60,7 @@
60	<li><a href="{{ path('tag_entries', {'slug': tag.slug}) }}">{{ tag.label }}</a></li>	60	<li><a href="{{ path('tag_entries', {'slug': tag.slug}) }}">{{ tag.label }}</a></li>
61	{% endfor %}	61	{% endfor %}
62	</ul>	62	</ul>
63	<img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title\|raw }}" />	63	<img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title\|e\|raw }}" />
64	{% endif %}	64	{% endif %}
65	</div>	65	</div>
66	{% endfor %}	66	{% endfor %}