From dff078537e2fb790007bf30cb4a596c83f6b8305 Mon Sep 17 00:00:00 2001 From: Francesco Cozzuto Date: Thu, 18 Sep 2025 09:01:31 +0200 Subject: [PATCH] Add escaping of dynamic content --- TODO | 3 +-- pages/index.wl | 4 ++-- pages/page.wl | 2 +- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/TODO b/TODO index 26ae52f..55f67fa 100644 --- a/TODO +++ b/TODO @@ -1,5 +1,4 @@ -input validation to avoid XSS and injection only allow signup, login ecc over HTTPS session expiration mark cookies as secure -consider SameSite=Strict \ No newline at end of file +consider SameSite=Stricts \ No newline at end of file diff --git a/pages/index.wl b/pages/index.wl index 073ffdd..8b57624 100644 --- a/pages/index.wl +++ b/pages/index.wl @@ -55,10 +55,10 @@ let main =
- \post.title + \escape(post.title)
- \post.date | \post.num_comments comments + \escape(post.date) | \escape(post.num_comments) comments
} diff --git a/pages/page.wl b/pages/page.wl index ce90bf9..131bc04 100644 --- a/pages/page.wl +++ b/pages/page.wl @@ -3,7 +3,7 @@ procedure page(title, login_user_id, style, main) - CN - \title + CN - \escape(title)