mirrors/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2024-05-14 15:22:38 +00:00
Code Issues Projects Releases Wiki Activity

Fixed possible JS injection via the title edition

Browse source
This commit is contained in:
Nicolas Lœuillet 2017-01-17 10:09:04 +01:00
parent 96e2827605
commit 3d9950792c
No known key found for this signature in database
GPG key ID: BDC1EFB5CA0145F2
9 changed files with 26 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig
View file

@ -23,7 +23,7 @@
{% for entry in entries %}
<div id="entry-{{ entry.id|e }}" class="entry">
<h2><a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title|raw }}">{{ entry.title|raw }}</a></h2>
<h2><a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title|e|raw }}">{{ entry.title|e|raw }}</a></h2>
{% set readingTime = entry.readingTime / app.user.config.readingSpeed %}
<div class="estimatedTime">
@ -60,7 +60,7 @@
<li><a href="{{ path('tag_entries', {'slug': tag.slug}) }}">{{ tag.label }}</a></li>
{% endfor %}
</ul>
<img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|raw }}" />
<img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|e|raw }}" />
{% endif %}
</div>
{% endfor %}

6
src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig
View file

@ -1,11 +1,11 @@
{% extends "WallabagCoreBundle::layout.html.twig" %}
{% block title %}{{ entry.title|raw }} ({{ entry.domainName|removeWww }}){% endblock %}
{% block title %}{{ entry.title|e|raw }} ({{ entry.domainName|removeWww }}){% endblock %}
{% block content %}
<div id="article">
<header class="mbm">
<h1>{{ entry.title|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" class="nostyle" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1>
<h1>{{ entry.title|e|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" class="nostyle" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1>
</header>
<div id="article_toolbar">
@ -67,7 +67,7 @@
</aside>
</div>
{% if entry.previewPicture is not null %}
<div><img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|raw }}" /></div>
<div><img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|e|raw }}" /></div>
{% endif %}
<article>
{{ entry.content | raw }}

2
src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig
View file

@ -10,7 +10,7 @@
{% for entry in entries %}
<item>
<title><![CDATA[{{ entry.title }}]]></title>
<title><![CDATA[{{ entry.title|e }}]]></title>
<source url="{{ url('view', { 'id': entry.id }) }}">wallabag</source>
<link>{{ entry.url }}</link>
<guid>{{ entry.url }}</guid>

10
src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig
View file

@ -1,6 +1,6 @@
<html>
<head>
<title>{{ entry.title | raw }}</title>
<title>{{ entry.title|e|raw }}</title>
<style>
body {
margin: 10px;
@ -27,7 +27,7 @@
width: 600px;
}
</style>
<meta property="og:title" content="{{ entry.title | raw }}" />
<meta property="og:title" content="{{ entry.title|e|raw }}" />
<meta property="og:type" content="article" />
<meta property="og:url" content="{{ app.request.uri }}" />
{% set picturePath = app.request.schemeAndHttpHost ~ asset('bundles/wallabagcore/themes/_global/img/logo-other_themes.png') %}
@ -38,13 +38,13 @@
<meta name="twitter:card" content="summary" />
<meta name="twitter:image" content="{{ picturePath }}" />
<meta name="twitter:site" content="@wallabagapp" />
<meta name="twitter:title" content="{{ entry.title | raw }}" />
<meta name="twitter:title" content="{{ entry.title|e|raw }}" />
<meta name="twitter:description" content="{{ entry.content|striptags|slice(0, 300)|raw }}&hellip;" />
</head>
<body>
<header>
<h1>{{ entry.title | raw }}</h1>
<div><a href="{{ entry.url|e }}" target="_blank" title="{{ 'entry.view.original_article'|trans }} : {{ entry.title|e }}" class="tool">{{ entry.domainName|removeWww }}</a></div>
<h1>{{ entry.title|e|raw }}</h1>
<div><a href="{{ entry.url|e }}" target="_blank" title="{{ 'entry.view.original_article'|trans }} : {{ entry.title|e|raw }}" class="tool">{{ entry.domainName|removeWww }}</a></div>
<div>{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage')})|raw }}</div>
</header>
<article>

4
src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_full_image.html.twig
View file

@ -11,8 +11,8 @@
<div class="card-content">
<span class="card-title dot-ellipsis dot-resize-update">
<a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}">
{{ entry.title | raw | striptags | truncate(80, true, '…') }}
<a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title| e | raw | striptags }}">
{{ entry.title | e | raw | striptags | truncate(80, true, '…') }}
</a>
</span>

4
src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_no_preview.html.twig
View file

@ -2,8 +2,8 @@
<div class="card-body">
<div class="card-content">
<span class="card-title dot-ellipsis dot-resize-update">
<a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}">
{{ entry.title | raw | striptags | truncate(80, true, '…') }}
<a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}">
{{ entry.title | e | raw | striptags | truncate(80, true, '…') }}
</a>
</span>

8
src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_preview.html.twig
View file

@ -13,8 +13,8 @@
<i class="grey-text text-darken-4 activator material-icons right">more_vert</i>
<span class="card-title dot-ellipsis dot-resize-update">
<a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}">
{{ entry.title| striptags | truncate(80, true, '…') | raw }}
<a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}">
{{ entry.title | e | striptags | truncate(80, true, '…') | raw }}
</a>
</span>
@ -29,8 +29,8 @@
<div class="card-reveal">
<i class="card-title activator grey-text text-darken-4 material-icons right">clear</i>
<span class="card-title">
<a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}">
{{ entry.title | raw | striptags | truncate(80, true, '…') }}
<a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}">
{{ entry.title | e | raw | striptags | truncate(80, true, '…') }}
</a>
</span>

4
src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/entry.html.twig
View file

@ -1,6 +1,6 @@
{% extends "WallabagCoreBundle::layout.html.twig" %}
{% block title %}{{ entry.title|raw }} ({{ entry.domainName|removeWww }}){% endblock %}
{% block title %}{{ entry.title|e|raw }} ({{ entry.domainName|removeWww }}){% endblock %}
{% block body_class %}entry{% endblock %}
@ -209,7 +209,7 @@
{% block content %}
<div id="article">
<header class="mbm">
<h1>{{ entry.title|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1>
<h1>{{ entry.title|e|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1>
</header>
<aside>
<ul class="tools">

6
var/SymfonyRequirements.php
View file

@ -780,7 +780,11 @@ class SymfonyRequirements extends RequirementCollection
{
$size = ini_get('realpath_cache_size');
$size = trim($size);
$unit = strtolower(substr($size, -1, 1));
$unit = '';
if (!ctype_digit($size)) {
$unit = strtolower(substr($size, -1, 1));
$size = (int) substr($size, 0, -1);
}
switch ($unit) {
case 'g':
return $size * 1024 * 1024 * 1024;