diff options
author | Nicolas LÅ“uillet <nicolas@loeuillet.org> | 2017-01-17 11:59:14 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-01-17 11:59:14 +0100 |
commit | 9123cb3053a1e5e8730e44a2723cd61bb9b08512 (patch) | |
tree | 0eb9a92112c2e5913015abf01ff4e0b9e14c6d85 /src/Wallabag/CoreBundle/Resources/views/themes/common/Entry | |
parent | 96e2827605ab459bfc61ff96438eab8285d2a0c7 (diff) | |
parent | 3d9950792c0aef20643ce1c5f81670e1f7194af9 (diff) | |
download | wallabag-9123cb3053a1e5e8730e44a2723cd61bb9b08512.tar.gz wallabag-9123cb3053a1e5e8730e44a2723cd61bb9b08512.tar.zst wallabag-9123cb3053a1e5e8730e44a2723cd61bb9b08512.zip |
Merge pull request #2758 from wallabag/fix-public-sharing
Fixed possible JS injection via the title edition
Diffstat (limited to 'src/Wallabag/CoreBundle/Resources/views/themes/common/Entry')
-rw-r--r-- | src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig | 2 | ||||
-rw-r--r-- | src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig | 10 |
2 files changed, 6 insertions, 6 deletions
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig b/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig index 288bb54f..7103f22b 100644 --- a/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig +++ b/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig | |||
@@ -10,7 +10,7 @@ | |||
10 | {% for entry in entries %} | 10 | {% for entry in entries %} |
11 | 11 | ||
12 | <item> | 12 | <item> |
13 | <title><![CDATA[{{ entry.title }}]]></title> | 13 | <title><![CDATA[{{ entry.title|e }}]]></title> |
14 | <source url="{{ url('view', { 'id': entry.id }) }}">wallabag</source> | 14 | <source url="{{ url('view', { 'id': entry.id }) }}">wallabag</source> |
15 | <link>{{ entry.url }}</link> | 15 | <link>{{ entry.url }}</link> |
16 | <guid>{{ entry.url }}</guid> | 16 | <guid>{{ entry.url }}</guid> |
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig index f77264c6..623cf1c4 100644 --- a/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig +++ b/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig | |||
@@ -1,6 +1,6 @@ | |||
1 | <html> | 1 | <html> |
2 | <head> | 2 | <head> |
3 | <title>{{ entry.title | raw }}</title> | 3 | <title>{{ entry.title|e|raw }}</title> |
4 | <style> | 4 | <style> |
5 | body { | 5 | body { |
6 | margin: 10px; | 6 | margin: 10px; |
@@ -27,7 +27,7 @@ | |||
27 | width: 600px; | 27 | width: 600px; |
28 | } | 28 | } |
29 | </style> | 29 | </style> |
30 | <meta property="og:title" content="{{ entry.title | raw }}" /> | 30 | <meta property="og:title" content="{{ entry.title|e|raw }}" /> |
31 | <meta property="og:type" content="article" /> | 31 | <meta property="og:type" content="article" /> |
32 | <meta property="og:url" content="{{ app.request.uri }}" /> | 32 | <meta property="og:url" content="{{ app.request.uri }}" /> |
33 | {% set picturePath = app.request.schemeAndHttpHost ~ asset('bundles/wallabagcore/themes/_global/img/logo-other_themes.png') %} | 33 | {% set picturePath = app.request.schemeAndHttpHost ~ asset('bundles/wallabagcore/themes/_global/img/logo-other_themes.png') %} |
@@ -38,13 +38,13 @@ | |||
38 | <meta name="twitter:card" content="summary" /> | 38 | <meta name="twitter:card" content="summary" /> |
39 | <meta name="twitter:image" content="{{ picturePath }}" /> | 39 | <meta name="twitter:image" content="{{ picturePath }}" /> |
40 | <meta name="twitter:site" content="@wallabagapp" /> | 40 | <meta name="twitter:site" content="@wallabagapp" /> |
41 | <meta name="twitter:title" content="{{ entry.title | raw }}" /> | 41 | <meta name="twitter:title" content="{{ entry.title|e|raw }}" /> |
42 | <meta name="twitter:description" content="{{ entry.content|striptags|slice(0, 300)|raw }}…" /> | 42 | <meta name="twitter:description" content="{{ entry.content|striptags|slice(0, 300)|raw }}…" /> |
43 | </head> | 43 | </head> |
44 | <body> | 44 | <body> |
45 | <header> | 45 | <header> |
46 | <h1>{{ entry.title | raw }}</h1> | 46 | <h1>{{ entry.title|e|raw }}</h1> |
47 | <div><a href="{{ entry.url|e }}" target="_blank" title="{{ 'entry.view.original_article'|trans }} : {{ entry.title|e }}" class="tool">{{ entry.domainName|removeWww }}</a></div> | 47 | <div><a href="{{ entry.url|e }}" target="_blank" title="{{ 'entry.view.original_article'|trans }} : {{ entry.title|e|raw }}" class="tool">{{ entry.domainName|removeWww }}</a></div> |
48 | <div>{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage')})|raw }}</div> | 48 | <div>{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage')})|raw }}</div> |
49 | </header> | 49 | </header> |
50 | <article> | 50 | <article> |