From 3d9950792c0aef20643ce1c5f81670e1f7194af9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20L=C5=93uillet?= <nicolas@loeuillet.org>
Date: Tue, 17 Jan 2017 10:09:04 +0100
Subject: Fixed possible JS injection via the title edition

---
 .../Resources/views/themes/material/Entry/_card_full_image.html.twig  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_full_image.html.twig')

diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_full_image.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_full_image.html.twig
index 0fdd5996..91a1bac0 100644
--- a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_full_image.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_full_image.html.twig
@@ -11,8 +11,8 @@
 
         <div class="card-content">
             <span class="card-title dot-ellipsis dot-resize-update">
-                <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}">
-                    {{ entry.title | raw | striptags | truncate(80, true, '…') }}
+                <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title| e | raw | striptags }}">
+                    {{ entry.title | e | raw | striptags | truncate(80, true, '…') }}
                 </a>
             </span>
 
-- 
cgit v1.2.3