Explicitely escape user data in translations to avoid XSS

This commit is contained in:
Bat
2018-06-26 17:58:11 +02:00
parent a7b246b726
commit a8b47de28b
5 changed files with 8 additions and 8 deletions
+1 -1
View File
@@ -6,7 +6,7 @@
{% endblock title %}
{% block content %}
<h1>{{ "Welcome on {{ instance_name }}" | _(instance_name=instance.name) }}</h1>
<h1>{{ "Welcome on {{ instance_name | escape }}" | _(instance_name=instance.name) }}</h1>
<h2>{{ "Latest articles" | _ }}</h2>
<div class="cards">
+1 -1
View File
@@ -10,7 +10,7 @@
<p>{{ article.post.content | safe | striptags | truncate(length=200) }}</p>
</main>
<p class="author">
{{ "By {{ link_1 }}{{ link_2 }}{{ link_3 }}{{ name }}{{ link_4 }}" | _(
{{ "By {{ link_1 }}{{ link_2 }}{{ link_3 }}{{ name | escape }}{{ link_4 }}" | _(
link_1='<a href="/@/',
link_2=article.author.fqn,
link_3='/">',
+1 -1
View File
@@ -18,7 +18,7 @@
{% set name = author.username %}
{% endif %}
<span class="author">{{ "Written by {{ link_1 }}{{ url }}{{ link_2 }}{{ name }}{{ link_3 }}" | _(
<span class="author">{{ "Written by {{ link_1 }}{{ url }}{{ link_2 }}{{ name | escape }}{{ link_3 }}" | _(
link_1='<a href="/@/',
url=author.fqn,
link_2='/">',
+1 -1
View File
@@ -7,7 +7,7 @@
{% set name = user.username %}
{% endif %}
{{ "{{ name }}'s followers" | _(name=name) }}
{{ "{{ name | escape }}'s followers" | _(name=name) }}
{% endblock title %}
{% block content %}