5f85fcd863
I reviewed character escaping everywhere with the following ideas:
* use a single common function to escape user data: `escape` using `htmlspecialchars`.
* sanitize fields in `index.php` after reading them from datastore and before sending them to templates.
It means no escaping function in Twig templates.
2 reasons:
* it reduces risks of security issue for future user made templates
* more readable templates
* sanitize user configuration fields after loading them.
28 lines
1 KiB
HTML
28 lines
1 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>{include="includes"}</head>
|
|
<body{if="ban_canLogin()"} onload="document.loginform.login.focus();"{/if}>
|
|
<div id="pageheader">
|
|
{include="page.header"}
|
|
|
|
<div id="headerform">
|
|
{if="!ban_canLogin()"}
|
|
You have been banned from login after too many failed attempts. Try later.
|
|
{else}
|
|
<form method="post" name="loginform">
|
|
<label for="login">Login: <input type="text" id="login" name="login" tabindex="1"></label>
|
|
<label for="password">Password: <input type="password" id="password" name="password" tabindex="2"></label>
|
|
<input type="submit" value="Login" class="bigbutton" tabindex="4">
|
|
<label for="longlastingsession">
|
|
<input type="checkbox" name="longlastingsession" id="longlastingsession" tabindex="3">
|
|
Stay signed in (Do not check on public computers)</label>
|
|
<input type="hidden" name="token" value="{$token}">
|
|
{if="$returnurl"}<input type="hidden" name="returnurl" value="{$returnurl}">{/if}
|
|
</form>
|
|
{/if}
|
|
</div>
|
|
</div>
|
|
|
|
{include="page.footer"}
|
|
</body>
|
|
</html>
|