Permalink
Browse files

Fix Twig autoescape bypass reported on HackerOne

  • Loading branch information...
paragonie-security committed Jul 1, 2016
1 parent e322c55 commit 6718a8ca27a78643f274c24bb1fc126facb3db10
@@ -1,4 +1,4 @@
<h2>{{ __("Edit Author \"%s\" Details", "default", author.name) }}</h2>
<h2>{{ __("Edit Author \"%s\" Details", "default", author.name|e('html')) }}</h2>
<form method="post">{{ form_token() }}
<div class="table full-width table-pad-1">
<div class="table-row">
@@ -1,4 +1,4 @@
<h2>{{ __('Users for Author "%s"', 'default', author.name) }}</h2>
<h2>{{ __('Users for Author "%s"', 'default', author.name|e('html')) }}</h2>
{% if form_error %}
<p class="error">{{ form_error }}</p>
@@ -73,7 +73,7 @@
<div class="table-cell">{{ __("Reply to") }}:</div>
<div class="table-cell">
<a href="{{ cabin_url() }}blog/comments/view/{{ comment.replyto|e('html_attr') }}">{#
#}{{ __("Comment #%s", "default", comment.replyto|number_format) }}</a>
#}{{ __("Comment #%s", "default", comment.replyto|number_format|e('html')) }}</a>
{% if comment.parent.author %}{#
#}by <a href="{{ cabin_url() }}author/edit/{{ comment.parent.author|e('url') }}">{#
#}{{ comment.parent.authorname|e('html_attr') }}{#
@@ -24,7 +24,7 @@
{% for cabin in cabins %}
<li>
<a href="{{ cabin_url() }}gadgets/cabin/{{ cabin|e('url') }}">
{{ __("Gadgets for <b>%s</b>", "default", cabin) }}
{{ __("Gadgets for <b>%s</b>", "default", cabin|e('html')) }}
</a>
</li>
{% endfor %}
@@ -13,7 +13,7 @@
{{ __("Airship") }}:
</div>
<div class="table-cell full-width bottom-extra-pad">
{{ __("Version %s", "default", airship) }}
{{ __("Version %s", "default", airship|e('html')) }}
</div>
</div>
@@ -5,7 +5,7 @@
"<a href=\"" ~ cabin_url() ~ "my/account\" title=\"" ~ __("Change Display Name")|e('html_attr') ~ "\">" ~
"<i class=\"fa fa-pencil-square\"></i>" ~
"</a> ",
("<strong title=\"Public ID: " ~ user_unique_id()|e('html_attr') ~ "\">" ~ user_display_name() ~ "</strong>")|raw
("<strong title=\"Public ID: " ~ user_unique_id()|e('html_attr') ~ "\">" ~ user_display_name()|e('html') ~ "</strong>")|raw
) }}
(<code title="{{ __("This is your public ID.")|e('html_attr') }}" id="my-public-id"><i class="fa fa-street-view"></i>{{ user_unique_id() }}</code>).
</div>
@@ -11,7 +11,7 @@
{% for cabin in cabins %}
<li>
<a href="{{ cabin_url() }}motifs/{{ cabin|e('url') }}">
{{ __("Motifs for <b>%s</b>", "default", cabin) }}
{{ __("Motifs for <b>%s</b>", "default", cabin|e('html')) }}
</a>
</li>
{% endfor %}
@@ -1,4 +1,4 @@
<h2 class="bottom-pad">{{ __("Motifs for %s", "default", cabin_name) }}</h2>
<h2 class="bottom-pad">{{ __("Motifs for %s", "default", cabin_name|e('html')) }}</h2>
<form method="post">{{ form_token() }}
<ul id="motifs-for-cabin">
@@ -1,4 +1,4 @@
<h2 class="bottom-pad">{{ __("Custom Pages - %s", "default", cabin) }}</h2>
<h2 class="bottom-pad">{{ __("Custom Pages - %s", "default", cabin|e('html')) }}</h2>
<select title="{{ __("Cabin")|e('html_attr') }}" id="pages_list_cabin">{% spaceless %}
{% for cab in cabins %}
<option
@@ -62,7 +62,7 @@
<i class="fa fa-arrow-up"></i> {{ __("Upgrade") }}
</button>
{% else %} {# Just show the "Up to date" message. #}
<em>{{ __("Up to date (%s)", "default", package['current_version']) }}</em>
<em>{{ __("Up to date (%s)", "default", package['current_version']|e('html')) }}</em>
{% endif %}
</li>
{% else %}{# Install button: #}

0 comments on commit 6718a8c

Please sign in to comment.