Explicitely escape user data in translations to avoid XSS

This commit is contained in:
Bat
2018-06-26 17:58:11 +02:00
parent a7b246b726
commit a8b47de28b
5 changed files with 8 additions and 8 deletions
+1 -1
View File
@@ -18,7 +18,7 @@
{% set name = author.username %}
{% endif %}
<span class="author">{{ "Written by {{ link_1 }}{{ url }}{{ link_2 }}{{ name }}{{ link_3 }}" | _(
<span class="author">{{ "Written by {{ link_1 }}{{ url }}{{ link_2 }}{{ name | escape }}{{ link_3 }}" | _(
link_1='<a href="/@/',
url=author.fqn,
link_2='/">',