From 3d9950792c0aef20643ce1c5f81670e1f7194af9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20L=C5=93uillet?= Date: Tue, 17 Jan 2017 10:09:04 +0100 Subject: Fixed possible JS injection via the title edition --- .../Resources/views/themes/common/Entry/entries.xml.twig | 2 +- .../Resources/views/themes/common/Entry/share.html.twig | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'src/Wallabag/CoreBundle/Resources/views/themes/common') diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig b/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig index 288bb54f..7103f22b 100644 --- a/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig +++ b/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig @@ -10,7 +10,7 @@ {% for entry in entries %} - <![CDATA[{{ entry.title }}]]> + <![CDATA[{{ entry.title|e }}]]> wallabag {{ entry.url }} {{ entry.url }} diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig index f77264c6..623cf1c4 100644 --- a/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig +++ b/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig @@ -1,6 +1,6 @@ - {{ entry.title | raw }} + {{ entry.title|e|raw }} - + {% set picturePath = app.request.schemeAndHttpHost ~ asset('bundles/wallabagcore/themes/_global/img/logo-other_themes.png') %} @@ -38,13 +38,13 @@ - +
-

{{ entry.title | raw }}

-
{{ entry.domainName|removeWww }}
+

{{ entry.title|e|raw }}

+
{{ entry.domainName|removeWww }}
{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage')})|raw }}
-- cgit v1.2.3