Merge remote-tracking branch 'origin/master' into 2.2

2025-01-09 00:15:27 +00:00 · 2017-01-26 13:32:07 +01:00 · 2017-01-26 13:32:07 +01:00 · 78295b99dd
commit 78295b99dd
parent 463cb376e3 05fa529bcf
12 changed files with 31 additions and 25 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,6 +1,12 @@
 ## Changelog

+### 2.1.6 2017/01/17
+- [#2758](https://github.com/wallabag/wallabag/pull/2758) Fixed possible JS injection via the title edition (@nicosomb)
+- [#2736](https://github.com/wallabag/wallabag/pull/2736) Update copyright year (@lex111)
+- [#2624](https://github.com/wallabag/wallabag/pull/2624) Fix #2056 update config.yml (@Rurik19)
+
 ### 2.1.5 2016/11/21
+- [#2625](https://github.com/wallabag/wallabag/pull/2625) Prepare wallabag 2.1.5 (@nicosomb)
 - [#2623](https://github.com/wallabag/wallabag/pull/2623) Force composer to run as PHP 5.5.9 (@j0k3r)
 - [#2608](https://github.com/wallabag/wallabag/pull/2608) Change version to 2.2.0-dev (@nicosomb)
 - [#2607](https://github.com/wallabag/wallabag/pull/2607) Updated changelog for 2.1.4 (@nicosomb)
@ -94,7 +100,7 @@
 - [#2397](https://github.com/wallabag/wallabag/pull/2397) Ensure orphan tag are remove in API (@j0k3r)
 - [#2399](https://github.com/wallabag/wallabag/pull/2399) Use default locale for user config (@j0k3r)
 - [#2400](https://github.com/wallabag/wallabag/pull/2400) Set env to prod in documentation (@j0k3r)
- [#2396](https://github.com/wallabag/wallabag/pull/2396) Update messages.pl.yml (@mruminski)
+- [#2396](https://github.com/wallabag/wallabag/pull/2396) Update messages.pl.yml (@wallabag)
 - [#2395](https://github.com/wallabag/wallabag/pull/2395) Add ability to use socket (@j0k3r)
 - [#2386](https://github.com/wallabag/wallabag/pull/2386) Changed Changelog by using github-changelog-generator from @skywinder (@nicosomb)
 - [#2389](https://github.com/wallabag/wallabag/pull/2389) Added default picture if preview picture is null (@nicosomb)
--- a/COPYING.md
+++ b/COPYING.md
@ -1,4 +1,4 @@
-Copyright (c) 2013-2016 Nicolas Lœuillet
+Copyright (c) 2013-2017 Nicolas Lœuillet

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/README.md
+++ b/README.md
@ -22,6 +22,6 @@ make run
 ```

 # License
-Copyright © 2013-2016 Nicolas Lœuillet <nicolas@loeuillet.org>
+Copyright © 2013-2017 Nicolas Lœuillet <nicolas@loeuillet.org>
 This work is free. You can redistribute it and/or modify it under the
 terms of the MIT License. See the COPYING file for more details.
--- a/app/config/config.yml
+++ b/app/config/config.yml
@ -30,7 +30,7 @@ framework:
    assets: ~

 wallabag_core:
-    version: 2.1.5
+    version: 2.1.6
    paypal_url: "https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=9UBA65LG3FX9Y&lc=gb"
    languages:
        en: 'English'
--- a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entries.html.twig
@ -28,7 +28,7 @@

    {% for entry in entries %}
        <div id="entry-{{ entry.id|e }}" class="{% if listMode == 0 %}entry{% else %}listmode entry{% endif %}">
-            <h2><a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title|raw }}">{{ entry.title|raw }}</a></h2>
+            <h2><a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title|e|raw }}">{{ entry.title|e|raw }}</a></h2>

            {% set readingTime = entry.readingTime / app.user.config.readingSpeed %}
            <div class="estimatedTime">
@ -65,7 +65,7 @@
                    <li><a href="{{ path('tag_entries', {'slug': tag.slug}) }}">{{ tag.label }}</a></li>
                {% endfor %}
                </ul>
-                <img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|raw }}" />
+                <img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|e|raw }}" />
            {% endif %}
        </div>
    {% endfor %}
--- a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Entry/entry.html.twig
@ -1,11 +1,11 @@
 {% extends "WallabagCoreBundle::layout.html.twig" %}

-{% block title %}{{ entry.title|raw }} ({{ entry.domainName|removeWww }}){% endblock %}
+{% block title %}{{ entry.title|e|raw }} ({{ entry.domainName|removeWww }}){% endblock %}

 {% block content %}
    <div id="article">
        <header class="mbm">
-            <h1>{{ entry.title|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" class="nostyle" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1>
+            <h1>{{ entry.title|e|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" class="nostyle" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1>
        </header>

        <div id="article_toolbar">
@ -68,7 +68,7 @@
            </aside>
        </div>
        {% if entry.previewPicture is not null %}
-            <div><img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|raw }}" /></div>
+            <div><img class="preview" src="{{ entry.previewPicture }}" alt="{{ entry.title|e|raw }}" /></div>
        {% endif %}
        <article>
            {{ entry.content | raw }}
--- a/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/entries.xml.twig
@ -18,7 +18,7 @@
        {% for entry in entries %}

            <item>
-                <title><![CDATA[{{ entry.title }}]]></title>
+                <title><![CDATA[{{ entry.title|e }}]]></title>
                <source url="{{ url('view', { 'id': entry.id }) }}">wallabag</source>
                <link>{{ entry.url }}</link>
                <guid>{{ entry.url }}</guid>
--- a/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig
@ -1,6 +1,6 @@
 <html>
    <head>
-        <title>{{ entry.title | raw }}</title>
+        <title>{{ entry.title|e|raw }}</title>
        <style>
            body {
                margin: 10px;
@ -27,7 +27,7 @@
                width: 600px;
            }
        </style>
-        <meta property="og:title" content="{{ entry.title | raw }}" />
+        <meta property="og:title" content="{{ entry.title|e|raw }}" />
        <meta property="og:type" content="article" />
        <meta property="og:url" content="{{ app.request.uri }}" />
        {% set picturePath = app.request.schemeAndHttpHost ~ asset('bundles/wallabagcore/themes/_global/img/logo-other_themes.png') %}
@ -38,13 +38,13 @@
        <meta name="twitter:card" content="summary" />
        <meta name="twitter:image" content="{{ picturePath }}" />
        <meta name="twitter:site" content="@wallabagapp" />
-        <meta name="twitter:title" content="{{ entry.title | raw }}" />
+        <meta name="twitter:title" content="{{ entry.title|e|raw }}" />
        <meta name="twitter:description" content="{{ entry.content|striptags|slice(0, 300)|raw }}&hellip;" />
    </head>
    <body>
        <header>
-            <h1>{{ entry.title | raw }}</h1>
-            <div><a href="{{ entry.url|e }}" target="_blank" title="{{ 'entry.view.original_article'|trans }} : {{ entry.title|e }}" class="tool">{{ entry.domainName|removeWww }}</a></div>
+            <h1>{{ entry.title|e|raw }}</h1>
+            <div><a href="{{ entry.url|e }}" target="_blank" title="{{ 'entry.view.original_article'|trans }} : {{ entry.title|e|raw }}" class="tool">{{ entry.domainName|removeWww }}</a></div>
            <div>{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage')})|raw }}</div>
        </header>
        <article>
--- a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_full_image.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_full_image.html.twig
@ -11,8 +11,8 @@

        <div class="card-content">
            <span class="card-title dot-ellipsis dot-resize-update">
-                <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}">
-                    {{ entry.title | raw | striptags | truncate(80, true, '…') }}
+                <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title| e | raw | striptags }}">
+                    {{ entry.title | e | raw | striptags | truncate(80, true, '…') }}
                </a>
            </span>

--- a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_no_preview.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_no_preview.html.twig
@ -2,8 +2,8 @@
    <div class="card-body">
        <div class="card-content">
            <span class="card-title dot-ellipsis dot-resize-update">
-                <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}">
-                    {{ entry.title | raw | striptags | truncate(80, true, '…') }}
+                <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}">
+                    {{ entry.title | e | raw | striptags | truncate(80, true, '…') }}
                </a>
            </span>

--- a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_preview.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/_card_preview.html.twig
@ -13,8 +13,8 @@
            <i class="grey-text text-darken-4 activator material-icons right">more_vert</i>

            <span class="card-title dot-ellipsis dot-resize-update">
-                <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}">
-                    {{ entry.title| striptags | truncate(80, true, '…') | raw }}
+                <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}">
+                    {{ entry.title | e | striptags | truncate(80, true, '…') | raw }}
                </a>
            </span>

@ -29,8 +29,8 @@
    <div class="card-reveal">
        <i class="card-title activator grey-text text-darken-4 material-icons right">clear</i>
        <span class="card-title">
-            <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | raw | striptags }}">
-                {{ entry.title | raw | striptags | truncate(80, true, '…') }}
+            <a href="{{ path('view', { 'id': entry.id }) }}" title="{{ entry.title | e | raw | striptags }}">
+                {{ entry.title | e | raw | striptags | truncate(80, true, '…') }}
            </a>
        </span>

--- a/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/entry.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/material/Entry/entry.html.twig
@ -1,6 +1,6 @@
 {% extends "WallabagCoreBundle::layout.html.twig" %}

-{% block title %}{{ entry.title|raw }} ({{ entry.domainName|removeWww }}){% endblock %}
+{% block title %}{{ entry.title|e|raw }} ({{ entry.domainName|removeWww }}){% endblock %}

 {% block body_class %}entry{% endblock %}

@ -209,7 +209,7 @@
 {% block content %}
    <div id="article">
        <header class="mbm">
-            <h1>{{ entry.title|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1>
+            <h1>{{ entry.title|e|raw }} <a href="{{ path('edit', { 'id': entry.id }) }}" title="{{ 'entry.view.edit_title'|trans }}">✎</a></h1>
        </header>
        <aside>
            <ul class="tools">