From 66697b29b9fce63deccbed391c406c02a2a34dd2 Mon Sep 17 00:00:00 2001
From: Kevin Decherf <kevin@kdecherf.com>
Date: Sun, 23 Sep 2018 22:46:09 +0200
Subject: views: escape piwik host and siteId to prevent XSS

Fixes CVE-2018-11352

Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
---
 src/Wallabag/CoreBundle/Resources/views/base.html.twig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Wallabag/CoreBundle/Resources/views/base.html.twig b/src/Wallabag/CoreBundle/Resources/views/base.html.twig
index 2499bb88..49861946 100644
--- a/src/Wallabag/CoreBundle/Resources/views/base.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/base.html.twig
@@ -69,7 +69,7 @@
         {% block footer %}{% endblock %}
 
         {% if craue_setting('piwik_enabled') %}
-            {{ piwik(craue_setting('piwik_host'), craue_setting('piwik_site_id')) }}
+            {{ piwik(craue_setting('piwik_host')|e('html_attr'), craue_setting('piwik_site_id')|e('html_attr')) }}
         {% endif %}
     </body>
 </html>
-- 
cgit v1.2.3