mirrors/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2024-12-21 07:06:30 +00:00
Code Issues Projects Releases Wiki Activity

Fixed possible JS injection via the title edition

Browse source
This commit is contained in:
Nicolas Lœuillet 2017-01-17 10:09:04 +01:00
parent 96e2827605
commit 3d9950792c
No known key found for this signature in database
GPG key ID: BDC1EFB5CA0145F2
9 changed files with 26 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig
View file

@ -23,7 +23,7 @@
{% for entry in entries %} {% for entry in entries %}
<div id="entry-{{ entry.id|e }}" class="entry"> <div id="entry-{{ entry.id|e }}" class="entry">
<h2><a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title|raw }}">{{ entry.title|raw }}</a></h2> <h2><a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title|e|raw }}">{{ entry.title|e|raw }}</a></h2>
{% set readingTime = entry.readingTime / app.user.config.readingSpeed %} {% set readingTime = entry.readingTime / app.user.config.readingSpeed %}
<div class="estimatedTime"> <div class="estimatedTime">
@ -60,7 +60,7 @@
<li><a href="{{ path('tag_entries', {'slug': tag.slug}) }}">{{ tag.label }}</a></li> <li><a href="{{ path('tag_entries', {'slug': tag.slug}) }}">{{ tag.label }}</a></li>
{% endfor %} {% endfor %}
</ul> </ul>
<img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|raw }}" /> <img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|e|raw }}" />
{% endif %} {% endif %}
</div> </div>
{% endfor %} {% endfor %}

6
src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig
View file

@ -1,11 +1,11 @@
{% extends "WallabagCoreBundle::layout.html.twig" %} {% extends "WallabagCoreBundle::layout.html.twig" %}
{% block title %}{{ entry.title|raw }} ({{ entry.domainName|removeWww }}){% endblock %} {% block title %}{{ entry.title|e|raw }} ({{ entry.domainName|removeWww }}){% endblock %}
{% block content %} {% block content %}
<div id="article"> <div id="article">
<header class="mbm"> <header class="mbm">
<h1>{{ entry.title|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" class="nostyle" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1> <h1>{{ entry.title|e|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" class="nostyle" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1>
</header> </header>
<div id="article_toolbar"> <div id="article_toolbar">
@ -67,7 +67,7 @@
</aside> </aside>
</div> </div>
{% if entry.previewPicture is not null %} {% if entry.previewPicture is not null %}
<div><img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|raw }}" /></div> <div><img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|e|raw }}" /></div>
{% endif %} {% endif %}
<article> <article>
{{ entry.content | raw }} {{ entry.content | raw }}

2
src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig
View file

@ -10,7 +10,7 @@
{% for entry in entries %} {% for entry in entries %}
<item> <item>
<title><![CDATA[{{ entry.title }}]]></title> <title><![CDATA[{{ entry.title|e }}]]></title>
<source url="{{ url('view', { 'id': entry.id }) }}">wallabag</source> <source url="{{ url('view', { 'id': entry.id }) }}">wallabag</source>
<link>{{ entry.url }}</link> <link>{{ entry.url }}</link>
<guid>{{ entry.url }}</guid> <guid>{{ entry.url }}</guid>

10
src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig
View file

@ -1,6 +1,6 @@
<html> <html>
<head> <head>
<title>{{ entry.title | raw }}</title> <title>{{ entry.title|e|raw }}</title>
<style> <style>
body { body {
margin: 10px; margin: 10px;
@ -27,7 +27,7 @@
width: 600px; width: 600px;
} }
</style> </style>
<meta property="og:title" content="{{ entry.title | raw }}" /> <meta property="og:title" content="{{ entry.title|e|raw }}" />
<meta property="og:type" content="article" /> <meta property="og:type" content="article" />
<meta property="og:url" content="{{ app.request.uri }}" /> <meta property="og:url" content="{{ app.request.uri }}" />
{% set picturePath = app.request.schemeAndHttpHost ~ asset('bundles/wallabagcore/themes/_global/img/logo-other_themes.png') %} {% set picturePath = app.request.schemeAndHttpHost ~ asset('bundles/wallabagcore/themes/_global/img/logo-other_themes.png') %}
@ -38,13 +38,13 @@
<meta name="twitter:card" content="summary" /> <meta name="twitter:card" content="summary" />
<meta name="twitter:image" content="{{ picturePath }}" /> <meta name="twitter:image" content="{{ picturePath }}" />
<meta name="twitter:site" content="@wallabagapp" /> <meta name="twitter:site" content="@wallabagapp" />
<meta name="twitter:title" content="{{ entry.title | raw }}" /> <meta name="twitter:title" content="{{ entry.title|e|raw }}" />
<meta name="twitter:description" content="{{ entry.content|striptags|slice(0, 300)|raw }}&hellip;" /> <meta name="twitter:description" content="{{ entry.content|striptags|slice(0, 300)|raw }}&hellip;" />
</head> </head>
<body> <body>
<header> <header>
<h1>{{ entry.title | raw }}</h1> <h1>{{ entry.title|e|raw }}</h1>
<div><a href="{{ entry.url|e }}" target="_blank" title="{{ 'entry.view.original_article'|trans }} : {{ entry.title|e }}" class="tool">{{ entry.domainName|removeWww }}</a></div> <div><a href="{{ entry.url|e }}" target="_blank" title="{{ 'entry.view.original_article'|trans }} : {{ entry.title|e|raw }}" class="tool">{{ entry.domainName|removeWww }}</a></div>
<div>{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage')})|raw }}</div> <div>{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage')})|raw }}</div>
</header> </header>
<article> <article>

4
src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_full_image.html.twig
View file

@ -11,8 +11,8 @@
<div class="card-content"> <div class="card-content">
<span class="card-title dot-ellipsis dot-resize-update"> <span class="card-title dot-ellipsis dot-resize-update">
<a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}"> <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title| e | raw | striptags }}">
{{ entry.title | raw | striptags | truncate(80, true, '…') }} {{ entry.title | e | raw | striptags | truncate(80, true, '…') }}
</a> </a>
</span> </span>

4
src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_no_preview.html.twig
View file

@ -2,8 +2,8 @@
<div class="card-body"> <div class="card-body">
<div class="card-content"> <div class="card-content">
<span class="card-title dot-ellipsis dot-resize-update"> <span class="card-title dot-ellipsis dot-resize-update">
<a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}"> <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}">
{{ entry.title | raw | striptags | truncate(80, true, '…') }} {{ entry.title | e | raw | striptags | truncate(80, true, '…') }}
</a> </a>
</span> </span>

8
src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_preview.html.twig
View file

@ -13,8 +13,8 @@
<i class="grey-text text-darken-4 activator material-icons right">more_vert</i> <i class="grey-text text-darken-4 activator material-icons right">more_vert</i>
<span class="card-title dot-ellipsis dot-resize-update"> <span class="card-title dot-ellipsis dot-resize-update">
<a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}"> <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}">
{{ entry.title| striptags | truncate(80, true, '…') | raw }} {{ entry.title | e | striptags | truncate(80, true, '…') | raw }}
</a> </a>
</span> </span>
@ -29,8 +29,8 @@
<div class="card-reveal"> <div class="card-reveal">
<i class="card-title activator grey-text text-darken-4 material-icons right">clear</i> <i class="card-title activator grey-text text-darken-4 material-icons right">clear</i>
<span class="card-title"> <span class="card-title">
<a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}"> <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}">
{{ entry.title | raw | striptags | truncate(80, true, '…') }} {{ entry.title | e | raw | striptags | truncate(80, true, '…') }}
</a> </a>
</span> </span>

4
src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/entry.html.twig
View file

@ -1,6 +1,6 @@
{% extends "WallabagCoreBundle::layout.html.twig" %} {% extends "WallabagCoreBundle::layout.html.twig" %}
{% block title %}{{ entry.title|raw }} ({{ entry.domainName|removeWww }}){% endblock %} {% block title %}{{ entry.title|e|raw }} ({{ entry.domainName|removeWww }}){% endblock %}
{% block body_class %}entry{% endblock %} {% block body_class %}entry{% endblock %}
@ -209,7 +209,7 @@
{% block content %} {% block content %}
<div id="article"> <div id="article">
<header class="mbm"> <header class="mbm">
<h1>{{ entry.title|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1> <h1>{{ entry.title|e|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1>
</header> </header>
<aside> <aside>
<ul class="tools"> <ul class="tools">

6
var/SymfonyRequirements.php
View file

@ -780,7 +780,11 @@ class SymfonyRequirements extends RequirementCollection
{ {
$size = ini_get('realpath_cache_size'); $size = ini_get('realpath_cache_size');
$size = trim($size); $size = trim($size);
$unit = strtolower(substr($size, -1, 1)); $unit = '';
if (!ctype_digit($size)) {
$unit = strtolower(substr($size, -1, 1));
$size = (int) substr($size, 0, -1);
}
switch ($unit) { switch ($unit) {
case 'g': case 'g':
return $size * 1024 * 1024 * 1024; return $size * 1024 * 1024 * 1024;