diff options
| author | Bernhard Posselt <nukeawhale@gmail.com> | 2013-05-04 01:47:37 +0200 |
|---|---|---|
| committer | Bernhard Posselt <nukeawhale@gmail.com> | 2013-05-04 01:48:25 +0200 |
| commit | 1d0252309281992bfa8f9a71c4d5d509a1eda59c (patch) | |
| tree | 06eb5b787912d7b9d58c1386318c715cf711cfaa /templates | |
| parent | de6aa8aa0f4c129e0d4a3266a4f3dc79bc1c2b93 (diff) | |
fix link xss vulnerabilities
Diffstat (limited to 'templates')
| -rw-r--r-- | templates/part.items.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/templates/part.items.php b/templates/part.items.php index 9cc7bd623..f27259d8a 100644 --- a/templates/part.items.php +++ b/templates/part.items.php @@ -21,7 +21,7 @@ <h1 class="item_title"> <a ng-click="itemBusinessLayer.setRead(item.id)" - target="_blank" href="{{ item.url }}"> + target="_blank" ng-href="{{ item.url|ocSanitizeURL }}"> {{ item.title|ocRemoveTags:['em', 'b', 'i'] }} </a> </h1> @@ -29,7 +29,7 @@ <h2 class="item_author"> <span ng-show="itemBusinessLayer.noFeedActive() && feedBusinessLayer.getFeedLink(item.feedId)"> <?php p($l->t('from')) ?> - <a target="_blank" href="{{ feedBusinessLayer.getFeedLink(item.feedId) }}" + <a target="_blank" ng-href="{{ feedBusinessLayer.getFeedLink(item.feedId)|ocSanitizeURL }}" class="from_feed">{{ itemBusinessLayer.getFeedTitle(item.id) }}</a> </span> <span ui-if="item.author"> |