Merge pull request #2758 from wallabag/fix-public-sharing

Fixed possible JS injection via the title edition
author: Nicolas Lœuillet <nicolas@loeuillet.org> 2017-01-17 11:59:14 +0100
committer: GitHub <noreply@github.com> 2017-01-17 11:59:14 +0100
commit: 9123cb3053a1e5e8730e44a2723cd61bb9b08512 (patch)
tree: 0eb9a92112c2e5913015abf01ff4e0b9e14c6d85 /src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig
parent: 96e2827605ab459bfc61ff96438eab8285d2a0c7 (diff)
parent: 3d9950792c0aef20643ce1c5f81670e1f7194af9 (diff)
download: wallabag-9123cb3053a1e5e8730e44a2723cd61bb9b08512.tar.gz
wallabag-9123cb3053a1e5e8730e44a2723cd61bb9b08512.tar.zst
wallabag-9123cb3053a1e5e8730e44a2723cd61bb9b08512.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig
index 3689159b..8ca194f6 100644
--- a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig
@@ -1,11 +1,11 @@
 {% extends "WallabagCoreBundle::layout.html.twig" %}
-{% block title %}{{ entry.title|raw }} ({{ entry.domainName|removeWww }}){% endblock %}
+{% block title %}{{ entry.title|e|raw }} ({{ entry.domainName|removeWww }}){% endblock %}
 {% block content %}
    <div id="article">
        <header class="mbm">
-            <h1>{{ entry.title|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" class="nostyle" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1>
+            <h1>{{ entry.title|e|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" class="nostyle" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1>
        </header>
        <div id="article_toolbar">
@@ -67,7 +67,7 @@
            </aside>
        </div>
        {% if entry.previewPicture is not null %}
-            <div><img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|raw }}" /></div>
+            <div><img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|e|raw }}" /></div>
        {% endif %}
        <article>
            {{ entry.content | raw }}
author	Nicolas Lœuillet <nicolas@loeuillet.org>	2017-01-17 11:59:14 +0100
committer	GitHub <noreply@github.com>	2017-01-17 11:59:14 +0100
commit	9123cb3053a1e5e8730e44a2723cd61bb9b08512 (patch)
tree	0eb9a92112c2e5913015abf01ff4e0b9e14c6d85 /src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig
parent	96e2827605ab459bfc61ff96438eab8285d2a0c7 (diff)
parent	3d9950792c0aef20643ce1c5f81670e1f7194af9 (diff)
download	wallabag-9123cb3053a1e5e8730e44a2723cd61bb9b08512.tar.gz wallabag-9123cb3053a1e5e8730e44a2723cd61bb9b08512.tar.zst wallabag-9123cb3053a1e5e8730e44a2723cd61bb9b08512.zip

diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig index 3689159b..8ca194f6 100644 --- a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig +++ b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig
@@ -1,11 +1,11 @@
1	{% extends "WallabagCoreBundle::layout.html.twig" %}	1	{% extends "WallabagCoreBundle::layout.html.twig" %}
2		2
3	{% block title %}{{ entry.title\|raw }} ({{ entry.domainName\|removeWww }}){% endblock %}	3	{% block title %}{{ entry.title\|e\|raw }} ({{ entry.domainName\|removeWww }}){% endblock %}
4		4
5	{% block content %}	5	{% block content %}
6	<div id="article">	6	<div id="article">
7	<header class="mbm">	7	<header class="mbm">
8	<h1>{{ entry.title\|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" class="nostyle" title="{{ 'entry.view.edit_title'\|trans }}">✎</a></h1>	8	<h1>{{ entry.title\|e\|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" class="nostyle" title="{{ 'entry.view.edit_title'\|trans }}">✎</a></h1>
9	</header>	9	</header>
10		10
11	<div id="article_toolbar">	11	<div id="article_toolbar">
@@ -67,7 +67,7 @@
67	</aside>	67	</aside>
68	</div>	68	</div>
69	{% if entry.previewPicture is not null %}	69	{% if entry.previewPicture is not null %}
70	<div><img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title\|raw }}" /></div>	70	<div><img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title\|e\|raw }}" /></div>
71	{% endif %}	71	{% endif %}
72	<article>	72	<article>
73	{{ entry.content \| raw }}	73	{{ entry.content \| raw }}