5f85fcd863
I reviewed character escaping everywhere with the following ideas:
* use a single common function to escape user data: `escape` using `htmlspecialchars`.
* sanitize fields in `index.php` after reading them from datastore and before sending them to templates.
It means no escaping function in Twig templates.
2 reasons:
* it reduces risks of security issue for future user made templates
* more readable templates
* sanitize user configuration fields after loading them.
16 lines
391 B
HTML
16 lines
391 B
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>{include="includes"}</head>
|
|
<body>
|
|
<div id="pageheader">{include="page.header"}</div>
|
|
<div class="center">
|
|
<div id="cloudtag">
|
|
{loop="tags"}
|
|
<span class="count">{$value.count}</span><a href="?searchtags={$key|urlencode}" style="font-size:{$value.size}pt;">{$key}</a>
|
|
{/loop}
|
|
</div>
|
|
</div>
|
|
{include="page.footer"}
|
|
</body>
|
|
</html>
|