Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix #118 by escaping smo content #119

Merged
merged 1 commit into from
Apr 30, 2014
Merged

fix #118 by escaping smo content #119

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions templates/_includes/smo_metadata.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
{% macro smo_metadata(article) %}
<meta property="og:title" content="{{ article.title|striptags }} {%if article.subtitle %} - {{ article.subtitle }} {% endif %}"/>
<meta property="og:title" content="{{ article.title|striptags|e }} {%if article.subtitle %} - {{ article.subtitle|striptags|e }} {% endif %}"/>
<meta property="og:type" content="article" />
<meta property="og:url" content="{{ SITEURL }}/{{ article.url }}" />
<meta property="og:description" content="{{article.summary|striptags}}" />
<meta property="og:site_name" content="{{ SITENAME|striptags }}" />
<meta property="og:description" content="{{article.summary|striptags|e}}" />
<meta property="og:site_name" content="{{ SITENAME|striptags|e }}" />
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@calfzhou why do we need to escape SITENAME?

The issue is with article summary, when it is auto generated. title is also understandable, user may put quotes and other stuff in it.

But why SITENAME, shouldn't it be the responsibility of user to make sure he escapes the variable properly?

I tried putting stuff like & and double quotes in SITENAME. The |e directive didn't work.

I suggest we escape title and summary everywhere it is used but keep SITENAME out of it.

Let me know what you think.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I take back my comment. Further testing shows a scenario where escaping SITENAME is useful. I have merged the PR. Thank you for your contribution.

I am making similar change in rest of the code. Not escaping properly was messing up few more subtle things.

<meta property="og:article:author" content="{{ article.author }}" />
{% if article.date %}
<meta property="og:article:published_time" content="{{ article.date.isoformat() }}" />
Expand All @@ -16,8 +16,8 @@
{%if TWITTER_USERNAME %}
<meta name="twitter:creator" content="@{{TWITTER_USERNAME}}">
{% endif %}
<meta name="twitter:title" content="{{ article.title|striptags }} {%if article.subtitle %} - {{ article.subtitle }} {% endif %}">
<meta name="twitter:description" content="{{article.summary|striptags}}">
<meta name="twitter:title" content="{{ article.title|striptags|e }} {%if article.subtitle %} - {{ article.subtitle|striptags|e }} {% endif %}">
<meta name="twitter:description" content="{{article.summary|striptags|e}}">
{% if article.featured_image %}
<meta property="og:image" content="{{article.featured_image}}" />
<meta name="twitter:image" content="{{article.featured_image}}" >
Expand Down