5f85fcd863
I reviewed character escaping everywhere with the following ideas:
* use a single common function to escape user data: `escape` using `htmlspecialchars`.
* sanitize fields in `index.php` after reading them from datastore and before sending them to templates.
It means no escaping function in Twig templates.
2 reasons:
* it reduces risks of security issue for future user made templates
* more readable templates
* sanitize user configuration fields after loading them.
21 lines
974 B
HTML
21 lines
974 B
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>{include="includes"}</head>
|
|
<body onload="document.uploadform.filetoupload.focus();">
|
|
<div id="pageheader">
|
|
{include="page.header"}
|
|
<div id="uploaddiv">
|
|
Import Netscape HTML bookmarks (as exported from Firefox/Chrome/Opera/Delicious/Diigo...) (Max: {$maxfilesize} bytes).
|
|
<form method="POST" action="?do=upload" enctype="multipart/form-data" name="uploadform" id="uploadform">
|
|
<input type="hidden" name="token" value="{$token}">
|
|
<input type="file" name="filetoupload">
|
|
<input type="hidden" name="MAX_FILE_SIZE" value="{$maxfilesize}">
|
|
<input type="submit" name="import_file" value="Import" class="bigbutton"><br>
|
|
<input type="checkbox" name="private" id="private"><label for="private"> Import all links as private</label><br>
|
|
<input type="checkbox" name="overwrite" id="overwrite"><label for="overwrite"> Overwrite existing links</label>
|
|
</form>
|
|
</div>
|
|
</div>
|
|
{include="page.footer"}
|
|
</body>
|
|
</html> |