I reviewed character escaping everywhere with the following ideas:
* use a single common function to escape user data: `escape` using `htmlspecialchars`.
* sanitize fields in `index.php` after reading them from datastore and before sending them to templates.
It means no escaping function in Twig templates.
2 reasons:
* it reduces risks of security issue for future user made templates
* more readable templates
* sanitize user configuration fields after loading them.
It only concerns the date of the day in the main title.
Fixes#182
Note that daily RSS feed is not generated through templates. Date are still hard formatted in that case.
* fix duplicate IDs - #paging_older, #paging_newer become classes as the paging is displayed twice (top, bottom) in the linklist
* fix duplicate IDs - #paging_privatelinks and #paging_linksperpage become classes
* daily links are now valid (use &)
* name attribute is not used anymore on a tag in link list
* center tag is replaced by CSS in picwall and tag cloud
* action in form tag can't be empty, use # instead
* fixed configure table with CSS instead of cellpadding, border, and valign
* export links are now valid
* remove "size" in input tag
* Fix missing alt attributes for img elements
* tpl/daily: Use HTML entities instead of char escape codes
* tpl/export: fix missing </span> closing tag
* Remove obsolete language attribute on <script> elements
Fixesshaarli/Shaarli#29
Style elements refactored as follows:
- use existing ids and classes if possible,
- else, define new ones and stick with the existing naming convention,
- remove hardcoded style attributes from RainTPL templates.
Exception:
In tpl/tagcloud.html, the display size of each tag is computed at page
generation.
Signed-off-by: VirtualTam <virtualtam@flibidi.org>
