aitzol
/
Plume
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Explicitely escape user data in translations to avoid XSS

This commit is contained in:
Bat 2018-06-26 17:58:11 +02:00
parent a7b246b726
commit a8b47de28b
5 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
po/plume.pot
View File

@ -60,13 +60,13 @@ msgstr ""
msgid "Let's go!" msgid "Let's go!"
msgstr "" msgstr ""
msgid "Welcome on {{ instance_name }}" msgid "Welcome on {{ instance_name | escape }}"
msgstr "" msgstr ""
msgid "Notifications" msgid "Notifications"
msgstr "" msgstr ""
msgid "Written by {{ link_1 }}{{ url }}{{ link_2 }}{{ name }}{{ link_3 }}" msgid "Written by {{ link_1 }}{{ url }}{{ link_2 }}{{ name | escape }}{{ link_3 }}"
msgstr "" msgstr ""
msgid "This article is under the {{ license }} license." msgid "This article is under the {{ license }} license."
@ -180,7 +180,7 @@ msgstr ""
msgid "Update account" msgid "Update account"
msgstr "" msgstr ""
msgid "{{ name }}'s followers" msgid "{{ name | escape }}'s followers"
msgstr "" msgstr ""
msgid "Followers" msgid "Followers"
@ -249,7 +249,7 @@ msgstr ""
msgid "You need to be logged in order to edit your profile" msgid "You need to be logged in order to edit your profile"
msgstr "" msgstr ""
msgid "By {{ link_1 }}{{ link_2 }}{{ link_3 }}{{ name }}{{ link_4 }}" msgid "By {{ link_1 }}{{ link_2 }}{{ link_3 }}{{ name | escape }}{{ link_4 }}"
msgstr "" msgstr ""
msgid "{{ data }} reshared your article" msgid "{{ data }} reshared your article"

2
templates/instance/index.html.tera
View File

@ -6,7 +6,7 @@
{% endblock title %} {% endblock title %}
{% block content %} {% block content %}
<h1>{{ "Welcome on {{ instance_name }}" | _(instance_name=instance.name) }}</h1> <h1>{{ "Welcome on {{ instance_name | escape }}" | _(instance_name=instance.name) }}</h1>
<h2>{{ "Latest articles" | _ }}</h2> <h2>{{ "Latest articles" | _ }}</h2>
<div class="cards"> <div class="cards">

2
templates/macros.html.tera
View File

@ -10,7 +10,7 @@
<p>{{ article.post.content | safe | striptags | truncate(length=200) }}</p> <p>{{ article.post.content | safe | striptags | truncate(length=200) }}</p>
</main> </main>
<p class="author"> <p class="author">
{{ "By {{ link_1 }}{{ link_2 }}{{ link_3 }}{{ name }}{{ link_4 }}" | _( {{ "By {{ link_1 }}{{ link_2 }}{{ link_3 }}{{ name | escape }}{{ link_4 }}" | _(
link_1='<a href="/@/', link_1='<a href="/@/',
link_2=article.author.fqn, link_2=article.author.fqn,
link_3='/">', link_3='/">',

2
templates/posts/details.html.tera
View File

@ -18,7 +18,7 @@
{% set name = author.username %} {% set name = author.username %}
{% endif %} {% endif %}
<span class="author">{{ "Written by {{ link_1 }}{{ url }}{{ link_2 }}{{ name }}{{ link_3 }}" | _( <span class="author">{{ "Written by {{ link_1 }}{{ url }}{{ link_2 }}{{ name | escape }}{{ link_3 }}" | _(
link_1='<a href="/@/', link_1='<a href="/@/',
url=author.fqn, url=author.fqn,
link_2='/">', link_2='/">',

2
templates/users/followers.html.tera
View File

@ -7,7 +7,7 @@
{% set name = user.username %} {% set name = user.username %}
{% endif %} {% endif %}
{{ "{{ name }}'s followers" | _(name=name) }} {{ "{{ name | escape }}'s followers" | _(name=name) }}
{% endblock title %} {% endblock title %}
{% block content %} {% block content %}