diff options
author | Bernhard Posselt <nukeawhale@gmail.com> | 2012-09-06 03:48:10 +0200 |
---|---|---|
committer | Bernhard Posselt <nukeawhale@gmail.com> | 2012-09-06 03:48:18 +0200 |
commit | f702e689c13f0d7b3d23b773ab95cea13e3f3c18 (patch) | |
tree | a2dc80eb16a22ed080612e15d77c36036b2620a2 /templates | |
parent | 24d4d4b6bd3bb821b85bac3d74ea4d1deec59ad8 (diff) |
removed xss vulnerabilities in template code
Diffstat (limited to 'templates')
-rw-r--r-- | templates/part.items.php | 4 | ||||
-rw-r--r-- | templates/part.listfeed.php | 4 | ||||
-rw-r--r-- | templates/part.listfolder.php | 6 |
3 files changed, 5 insertions, 9 deletions
diff --git a/templates/part.items.php b/templates/part.items.php index 185fc099b..6d6369ab7 100644 --- a/templates/part.items.php +++ b/templates/part.items.php @@ -49,10 +49,10 @@ foreach($items as $item) { echo '</ul>'; echo '</div>'; - echo '<h1 class="item_title"><a target="_blank" href="' . $item->getUrl() . '">' . $item->getTitle() . '</a></h1>'; + echo '<h1 class="item_title"><a target="_blank" href="' . $item->getUrl() . '">' . htmlspecialchars($item->getTitle(), ENT_QUOTES, 'UTF-8') . '</a></h1>'; if(($item->getAuthor() !== null) && (trim($item->getAuthor()) != '')){ - echo '<h2 class="item_author">'. $l->t('by') . ' ' . $item->getAuthor() . '</h2>'; + echo '<h2 class="item_author">'. $l->t('by') . ' ' . htmlspecialchars($item->getAuthor(), ENT_QUOTES, 'UTF-8') . '</h2>'; } echo '<div class="body">' . $item->getBody() . '</div>'; diff --git a/templates/part.listfeed.php b/templates/part.listfeed.php index 04d67a881..cfa49b82d 100644 --- a/templates/part.listfeed.php +++ b/templates/part.listfeed.php @@ -9,7 +9,7 @@ if(isset($_['mock'])){ $favicon = OCP\Util::imagePath('core', 'actions/public.svg'); } else { $feed = isset($_['feed']) ? $_['feed'] : null; - $feedTitle = htmlspecialchars_decode($feed->getTitle()); + $feedTitle = $feed->getTitle(); $feedId = $feed->getId(); $unreadItemsCount = isset($_['unreadItemsCount']) ? $_['unreadItemsCount'] : null; $favicon = $feed->getFavicon(); @@ -19,7 +19,7 @@ if(isset($_['mock'])){ } echo '<li class="feed" data-id="' . $feedId . '">'; - echo '<a style="background-image: url(' . $favicon . ');" href="#" class="title">' . $feedTitle .'</a>'; + echo '<a style="background-image: url(' . $favicon . ');" href="#" class="title">' . htmlspecialchars($feedTitle, ENT_QUOTES, 'UTF-8') .'</a>'; echo '<span class="unread_items_counter">' . $unreadItemsCount . '</span>'; echo '<span class="buttons">'; echo '<button class="svg action feeds_delete" title="' . $l->t('Delete feed') . '"></button>'; diff --git a/templates/part.listfolder.php b/templates/part.listfolder.php index 2a1cb6aed..6e8ea6350 100644 --- a/templates/part.listfolder.php +++ b/templates/part.listfolder.php @@ -13,14 +13,10 @@ if(isset($_['mock'])){ echo '<li class="folder open all_read" data-id="' . $folderId . '">'; echo '<button class="collapsable_trigger" title="' . $l->t('Collapse') . '"></button>'; - echo '<a href="#" class="title">' . $folderName . '</a>'; + echo '<a href="#" class="title">' . htmlspecialchars($folderName, ENT_QUOTES, 'UTF-8') . '</a>'; echo '<span class="buttons">'; echo '<button class="svg action feeds_delete" title="' . $l->t('Delete folder') . '"></button>'; echo '<button class="svg action feeds_edit" title="' . $l->t('Rename folder') . '"></button>'; echo '<button class="svg action feeds_markread" title="' . $l->t('Mark all read') . '"></button>'; echo '</span>'; echo '<ul data-id="' . $folderId . '">'; - -if(isset($_['mock'])){ - echo '</ul>'; -}
\ No newline at end of file |