mirror of
https://github.com/wallabag/wallabag.git
synced 2024-12-20 22:56:30 +00:00
Fixed possible JS injection via the title edition
This commit is contained in:
parent
96e2827605
commit
3d9950792c
9 changed files with 26 additions and 22 deletions
|
@ -23,7 +23,7 @@
|
|||
|
||||
{% for entry in entries %}
|
||||
<div id="entry-{{ entry.id|e }}" class="entry">
|
||||
<h2><a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title|raw }}">{{ entry.title|raw }}</a></h2>
|
||||
<h2><a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title|e|raw }}">{{ entry.title|e|raw }}</a></h2>
|
||||
|
||||
{% set readingTime = entry.readingTime / app.user.config.readingSpeed %}
|
||||
<div class="estimatedTime">
|
||||
|
@ -60,7 +60,7 @@
|
|||
<li><a href="{{ path('tag_entries', {'slug': tag.slug}) }}">{{ tag.label }}</a></li>
|
||||
{% endfor %}
|
||||
</ul>
|
||||
<img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|raw }}" />
|
||||
<img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|e|raw }}" />
|
||||
{% endif %}
|
||||
</div>
|
||||
{% endfor %}
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
{% extends "WallabagCoreBundle::layout.html.twig" %}
|
||||
|
||||
{% block title %}{{ entry.title|raw }} ({{ entry.domainName|removeWww }}){% endblock %}
|
||||
{% block title %}{{ entry.title|e|raw }} ({{ entry.domainName|removeWww }}){% endblock %}
|
||||
|
||||
{% block content %}
|
||||
<div id="article">
|
||||
<header class="mbm">
|
||||
<h1>{{ entry.title|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" class="nostyle" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1>
|
||||
<h1>{{ entry.title|e|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" class="nostyle" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1>
|
||||
</header>
|
||||
|
||||
<div id="article_toolbar">
|
||||
|
@ -67,7 +67,7 @@
|
|||
</aside>
|
||||
</div>
|
||||
{% if entry.previewPicture is not null %}
|
||||
<div><img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|raw }}" /></div>
|
||||
<div><img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|e|raw }}" /></div>
|
||||
{% endif %}
|
||||
<article>
|
||||
{{ entry.content | raw }}
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
{% for entry in entries %}
|
||||
|
||||
<item>
|
||||
<title><![CDATA[{{ entry.title }}]]></title>
|
||||
<title><![CDATA[{{ entry.title|e }}]]></title>
|
||||
<source url="{{ url('view', { 'id': entry.id }) }}">wallabag</source>
|
||||
<link>{{ entry.url }}</link>
|
||||
<guid>{{ entry.url }}</guid>
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
<html>
|
||||
<head>
|
||||
<title>{{ entry.title | raw }}</title>
|
||||
<title>{{ entry.title|e|raw }}</title>
|
||||
<style>
|
||||
body {
|
||||
margin: 10px;
|
||||
|
@ -27,7 +27,7 @@
|
|||
width: 600px;
|
||||
}
|
||||
</style>
|
||||
<meta property="og:title" content="{{ entry.title | raw }}" />
|
||||
<meta property="og:title" content="{{ entry.title|e|raw }}" />
|
||||
<meta property="og:type" content="article" />
|
||||
<meta property="og:url" content="{{ app.request.uri }}" />
|
||||
{% set picturePath = app.request.schemeAndHttpHost ~ asset('bundles/wallabagcore/themes/_global/img/logo-other_themes.png') %}
|
||||
|
@ -38,13 +38,13 @@
|
|||
<meta name="twitter:card" content="summary" />
|
||||
<meta name="twitter:image" content="{{ picturePath }}" />
|
||||
<meta name="twitter:site" content="@wallabagapp" />
|
||||
<meta name="twitter:title" content="{{ entry.title | raw }}" />
|
||||
<meta name="twitter:title" content="{{ entry.title|e|raw }}" />
|
||||
<meta name="twitter:description" content="{{ entry.content|striptags|slice(0, 300)|raw }}…" />
|
||||
</head>
|
||||
<body>
|
||||
<header>
|
||||
<h1>{{ entry.title | raw }}</h1>
|
||||
<div><a href="{{ entry.url|e }}" target="_blank" title="{{ 'entry.view.original_article'|trans }} : {{ entry.title|e }}" class="tool">{{ entry.domainName|removeWww }}</a></div>
|
||||
<h1>{{ entry.title|e|raw }}</h1>
|
||||
<div><a href="{{ entry.url|e }}" target="_blank" title="{{ 'entry.view.original_article'|trans }} : {{ entry.title|e|raw }}" class="tool">{{ entry.domainName|removeWww }}</a></div>
|
||||
<div>{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage')})|raw }}</div>
|
||||
</header>
|
||||
<article>
|
||||
|
|
|
@ -11,8 +11,8 @@
|
|||
|
||||
<div class="card-content">
|
||||
<span class="card-title dot-ellipsis dot-resize-update">
|
||||
<a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}">
|
||||
{{ entry.title | raw | striptags | truncate(80, true, '…') }}
|
||||
<a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title| e | raw | striptags }}">
|
||||
{{ entry.title | e | raw | striptags | truncate(80, true, '…') }}
|
||||
</a>
|
||||
</span>
|
||||
|
||||
|
|
|
@ -2,8 +2,8 @@
|
|||
<div class="card-body">
|
||||
<div class="card-content">
|
||||
<span class="card-title dot-ellipsis dot-resize-update">
|
||||
<a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}">
|
||||
{{ entry.title | raw | striptags | truncate(80, true, '…') }}
|
||||
<a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}">
|
||||
{{ entry.title | e | raw | striptags | truncate(80, true, '…') }}
|
||||
</a>
|
||||
</span>
|
||||
|
||||
|
|
|
@ -13,8 +13,8 @@
|
|||
<i class="grey-text text-darken-4 activator material-icons right">more_vert</i>
|
||||
|
||||
<span class="card-title dot-ellipsis dot-resize-update">
|
||||
<a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}">
|
||||
{{ entry.title| striptags | truncate(80, true, '…') | raw }}
|
||||
<a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}">
|
||||
{{ entry.title | e | striptags | truncate(80, true, '…') | raw }}
|
||||
</a>
|
||||
</span>
|
||||
|
||||
|
@ -29,8 +29,8 @@
|
|||
<div class="card-reveal">
|
||||
<i class="card-title activator grey-text text-darken-4 material-icons right">clear</i>
|
||||
<span class="card-title">
|
||||
<a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}">
|
||||
{{ entry.title | raw | striptags | truncate(80, true, '…') }}
|
||||
<a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}">
|
||||
{{ entry.title | e | raw | striptags | truncate(80, true, '…') }}
|
||||
</a>
|
||||
</span>
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{% extends "WallabagCoreBundle::layout.html.twig" %}
|
||||
|
||||
{% block title %}{{ entry.title|raw }} ({{ entry.domainName|removeWww }}){% endblock %}
|
||||
{% block title %}{{ entry.title|e|raw }} ({{ entry.domainName|removeWww }}){% endblock %}
|
||||
|
||||
{% block body_class %}entry{% endblock %}
|
||||
|
||||
|
@ -209,7 +209,7 @@
|
|||
{% block content %}
|
||||
<div id="article">
|
||||
<header class="mbm">
|
||||
<h1>{{ entry.title|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1>
|
||||
<h1>{{ entry.title|e|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1>
|
||||
</header>
|
||||
<aside>
|
||||
<ul class="tools">
|
||||
|
|
|
@ -780,7 +780,11 @@ class SymfonyRequirements extends RequirementCollection
|
|||
{
|
||||
$size = ini_get('realpath_cache_size');
|
||||
$size = trim($size);
|
||||
$unit = strtolower(substr($size, -1, 1));
|
||||
$unit = '';
|
||||
if (!ctype_digit($size)) {
|
||||
$unit = strtolower(substr($size, -1, 1));
|
||||
$size = (int) substr($size, 0, -1);
|
||||
}
|
||||
switch ($unit) {
|
||||
case 'g':
|
||||
return $size * 1024 * 1024 * 1024;
|
||||
|
|
Loading…
Reference in a new issue