5f85fcd863
I reviewed character escaping everywhere with the following ideas:
* use a single common function to escape user data: `escape` using `htmlspecialchars`.
* sanitize fields in `index.php` after reading them from datastore and before sending them to templates.
It means no escaping function in Twig templates.
2 reasons:
* it reduces risks of security issue for future user made templates
* more readable templates
* sanitize user configuration fields after loading them.
8 lines
373 B
HTML
8 lines
373 B
HTML
{loop="links"}
|
|
<h3><a href="{$value.url}">{$value.title}</a></h3>
|
|
<small>{if="!$GLOBALS['config']['HIDE_TIMESTAMPS']"}{function="strftime('%c', $value.timestamp)"} - {/if}{if="$value.tags"}{$value.tags}{/if}<br>
|
|
{$value.url}</small><br>
|
|
{if="$value.thumbnail"}{$value.thumbnail}{/if}<br>
|
|
{if="$value.description"}{$value.formatedDescription}{/if}
|
|
<br><br><hr>
|
|
{/loop} |