5f85fcd863
I reviewed character escaping everywhere with the following ideas:
* use a single common function to escape user data: `escape` using `htmlspecialchars`.
* sanitize fields in `index.php` after reading them from datastore and before sending them to templates.
It means no escaping function in Twig templates.
2 reasons:
* it reduces risks of security issue for future user made templates
* more readable templates
* sanitize user configuration fields after loading them.
59 lines
2.8 KiB
HTML
59 lines
2.8 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>{include="includes"}
|
|
<link type="text/css" rel="stylesheet" href="../inc/awesomplete.css" />
|
|
<script src="inc/awesomplete.min.js#"></script>
|
|
</head>
|
|
<body
|
|
{if="$link.title==''"}onload="document.linkform.lf_title.focus();"
|
|
{elseif="$link.description==''"}onload="document.linkform.lf_description.focus();"
|
|
{else}onload="document.linkform.lf_tags.focus();"{/if} >
|
|
<div id="pageheader">
|
|
{if="$source !== 'firefoxsocialapi'"}
|
|
{include="page.header"}
|
|
{/if}
|
|
<div id="editlinkform">
|
|
<form method="post" name="linkform">
|
|
<input type="hidden" name="lf_linkdate" value="{$link.linkdate}">
|
|
<label for="lf_url"><i>URL</i></label><br><input type="text" name="lf_url" id="lf_url" value="{$link.url}" class="lf_input"><br>
|
|
<label for="lf_title"><i>Title</i></label><br><input type="text" name="lf_title" id="lf_title" value="{$link.title}" class="lf_input"><br>
|
|
<label for="lf_description"><i>Description</i></label><br><textarea name="lf_description" id="lf_description" rows="4" cols="25">{$link.description}</textarea><br>
|
|
<label for="lf_tags"><i>Tags</i></label><br>
|
|
<input type="text" id="lf_tags" name="lf_tags" id="lf_tags" value="{$link.tags}" class="lf_input"
|
|
data-list="{loop="$tags"}{$key}, {/loop}" data-multiple autocomplete="off" ><br>
|
|
{if="($link_is_new && $GLOBALS['privateLinkByDefault']==true) || $link.private == true"}
|
|
<input type="checkbox" checked="checked" name="lf_private" id="lf_private">
|
|
<label for="lf_private"><i>Private</i></label><br>
|
|
{else}
|
|
<input type="checkbox" name="lf_private" id="lf_private">
|
|
<label for="lf_private"><i>Private</i></label><br>
|
|
{/if}
|
|
<input type="submit" value="Save" name="save_edit" class="bigbutton">
|
|
<input type="submit" value="Cancel" name="cancel_edit" class="bigbutton">
|
|
{if="!$link_is_new"}<input type="submit" value="Delete" name="delete_link" class="bigbutton delete" onClick="return confirmDeleteLink();">{/if}
|
|
<input type="hidden" name="token" value="{$token}">
|
|
{if="$http_referer"}<input type="hidden" name="returnurl" value="{$http_referer}">{/if}
|
|
</form>
|
|
</div>
|
|
</div>
|
|
{if="$source !== 'firefoxsocialapi'"}
|
|
{include="page.footer"}
|
|
{/if}
|
|
{if="($GLOBALS['config']['OPEN_SHAARLI'] || isLoggedIn())"}
|
|
<script>
|
|
$ = Awesomplete.$;
|
|
new Awesomplete($('input[data-multiple]'), {
|
|
filter: function(text, input) {
|
|
return Awesomplete.FILTER_CONTAINS(text, input.match(/[^ ]*$/)[0]);
|
|
},
|
|
replace: function(text) {
|
|
var before = this.input.value.match(/^.+ \s*|/)[0];
|
|
this.input.value = before + text + " ";
|
|
},
|
|
minChars: 1
|
|
});
|
|
</script>
|
|
{/if}
|
|
</body>
|
|
</html>
|