fix #118 by escaping smo content #119
Conversation
|
@calfzhou it's work correctly now |
| <meta property="og:description" content="{{article.summary|striptags}}" /> | ||
| <meta property="og:site_name" content="{{ SITENAME|striptags }}" /> | ||
| <meta property="og:description" content="{{article.summary|striptags|e}}" /> | ||
| <meta property="og:site_name" content="{{ SITENAME|striptags|e }}" /> |
There was a problem hiding this comment.
@calfzhou why do we need to escape SITENAME?
The issue is with article summary, when it is auto generated. title is also understandable, user may put quotes and other stuff in it.
But why SITENAME, shouldn't it be the responsibility of user to make sure he escapes the variable properly?
I tried putting stuff like & and double quotes in SITENAME. The |e directive didn't work.
I suggest we escape title and summary everywhere it is used but keep SITENAME out of it.
Let me know what you think.
There was a problem hiding this comment.
I take back my comment. Further testing shows a scenario where escaping SITENAME is useful. I have merged the PR. Thank you for your contribution.
I am making similar change in rest of the code. Not escaping properly was messing up few more subtle things.
fix #118