flashii/misuzu
flashii/misuzu
1
1
Fork 0
Code Issues Pull requests Releases 159 Wiki Activity Actions

Ensure content passed to the parse_text filter is escaped.

Browse source
This commit is contained in:
flash 2024-11-07 00:33:42 +00:00
parent bdad34e065
commit 23d47fa6d2
6 changed files with 9 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
templates/changelog/change.twig
View file

@ -60,7 +60,7 @@
<h1>{{ title }}</h1> <h1>{{ title }}</h1>
{% if change_info.hasBody %} {% if change_info.hasBody %}
{{ change_info.body|parse_text(2)|raw }} {{ change_info.body|escape|parse_text(2)|raw }}
{% else %} {% else %}
<p>This change has no additional notes.</p> <p>This change has no additional notes.</p>
{% endif %} {% endif %}

2
templates/home/landing.twig
View file

@ -169,7 +169,7 @@
{% for post in featured_news %} {% for post in featured_news %}
<div class="landingv2-news-post markdown"> <div class="landingv2-news-post markdown">
<h1>{{ post.title }}</h1> <h1>{{ post.title }}</h1>
<p>{{ post.firstParagraph|parse_text(2)|raw }}</p> <p>{{ post.firstParagraph|escape|parse_text(2)|raw }}</p>
<div class="landingv2-news-post-options"> <div class="landingv2-news-post-options">
<a href="{{ url('news-post', {'post': post.id}) }}" class="landingv2-news-post-option">Continue reading</a> <a href="{{ url('news-post', {'post': post.id}) }}" class="landingv2-news-post-option">Continue reading</a>
| <time datetime="{{ post.createdTime|date('c') }}" title="{{ post.createdTime|date('r') }}">{{ post.createdTime|time_format }}</time> | <time datetime="{{ post.createdTime|date('c') }}" title="{{ post.createdTime|date('r') }}">{{ post.createdTime|time_format }}</time>

2
templates/manage/users/note.twig
View file

@ -57,7 +57,7 @@
{% if not note_new and note_info.hasBody %} {% if not note_new and note_info.hasBody %}
<div class="manage__note__body markdown manage__note--viewing"> <div class="manage__note__body markdown manage__note--viewing">
{{ note_info.body|parse_text(2)|raw }} {{ note_info.body|escape|parse_text(2)|raw }}
</div> </div>
{% else %} {% else %}
<div class="manage__note__nobody manage__note--viewing"> <div class="manage__note__nobody manage__note--viewing">

4
templates/manage/users/notes.twig
View file

@ -71,9 +71,9 @@
{% if note.info.hasBody %} {% if note.info.hasBody %}
<div class="manage__notes__item__body markdown"> <div class="manage__notes__item__body markdown">
{% if notes_filtering %} {% if notes_filtering %}
{{ note.info.body|parse_text(2)|raw }} {{ note.info.body|escape|parse_text(2)|raw }}
{% else %} {% else %}
{{ note.info.firstParagraph|parse_text(2)|raw }} {{ note.info.firstParagraph|escape|parse_text(2)|raw }}
{% endif %} {% endif %}
</div> </div>
{% else %} {% else %}

4
templates/news/macros.twig
View file

@ -36,7 +36,7 @@
</div> </div>
<div class="news__preview__content markdown"> <div class="news__preview__content markdown">
<div class="news__preview__text"> <div class="news__preview__text">
{{ post.post.firstParagraph|parse_text(2)|raw }} {{ post.post.firstParagraph|escape|parse_text(2)|raw }}
</div> </div>
<div class="news__preview__links"> <div class="news__preview__links">
<a href="{{ url('news-post', {'post': post.post.id}) }}" class="news__preview__link">Continue reading</a> <a href="{{ url('news-post', {'post': post.post.id}) }}" class="news__preview__link">Continue reading</a>
@ -91,7 +91,7 @@
<div class="news__post__text markdown"> <div class="news__post__text markdown">
<h1>{{ post.title }}</h1> <h1>{{ post.title }}</h1>
{{ post.body|parse_text(2)|raw }} {{ post.body|escape|parse_text(2)|raw }}
</div> </div>
</div> </div>
{% endmacro %} {% endmacro %}

4
templates/profile/index.twig
View file

@ -271,7 +271,7 @@
</div> </div>
{% else %} {% else %}
<div class="profile__about__content{% if profile_is_editing %} profile__about__content--edit{% elseif profile_user.aboutParser == constant('\\Misuzu\\Parsers\\Parser::MARKDOWN') %} markdown{% endif %}"> <div class="profile__about__content{% if profile_is_editing %} profile__about__content--edit{% elseif profile_user.aboutParser == constant('\\Misuzu\\Parsers\\Parser::MARKDOWN') %} markdown{% endif %}">
{{ profile_user.aboutContent|parse_text(profile_user.aboutParser)|raw }} {{ profile_user.aboutContent|escape|parse_text(profile_user.aboutParser)|raw }}
</div> </div>
{% endif %} {% endif %}
</div> </div>
@ -288,7 +288,7 @@
</div> </div>
{% else %} {% else %}
<div class="profile__signature__content{% if profile_is_editing %} profile__signature__content--edit{% elseif profile_user.signatureParser == constant('\\Misuzu\\Parsers\\Parser::MARKDOWN') %} markdown{% endif %}"> <div class="profile__signature__content{% if profile_is_editing %} profile__signature__content--edit{% elseif profile_user.signatureParser == constant('\\Misuzu\\Parsers\\Parser::MARKDOWN') %} markdown{% endif %}">
{{ profile_user.signatureContent|parse_text(profile_user.signatureParser)|raw }} {{ profile_user.signatureContent|escape|parse_text(profile_user.signatureParser)|raw }}
</div> </div>
{% endif %} {% endif %}
</div> </div>