Loading app/Controllers/EpisodeController.php +1 −1 Original line number Diff line number Diff line Loading @@ -235,7 +235,7 @@ class EpisodeController extends BaseController $oembed->addChild('thumbnail_height', (string) config('Images')->podcastCoverSizes['og']['height']); $oembed->addChild( 'html', htmlentities( htmlspecialchars( '<iframe src="' . $this->episode->embed_url . '" width="100%" height="' . config('Embed')->height . '" frameborder="0" scrolling="no"></iframe>', Loading app/Helpers/form_helper.php +43 −0 Original line number Diff line number Diff line Loading @@ -43,3 +43,46 @@ if (! function_exists('form_markdown_textarea')) { . "</textarea>\n"; } } if (! function_exists('parse_form_attributes')) { /** * Parse the form attributes * * Helper function used by some of the form helpers * * @param array<string, string>|string $attributes List of attributes * @param array<string, mixed> $default Default values */ function parse_form_attributes(array|string $attributes, array $default): string { if (is_array($attributes)) { foreach (array_keys($default) as $key) { if (isset($attributes[$key])) { $default[$key] = $attributes[$key]; unset($attributes[$key]); } } if (! empty($attributes)) { $default = array_merge($default, $attributes); } } $att = ''; foreach ($default as $key => $val) { if (! is_bool($val)) { if ($key === 'name' && ! strlen($default['name'])) { continue; } $att .= $key . '="' . $val . '"' . ($key === array_key_last($default) ? '' : ' '); } else { $att .= $key . ' '; } } return $att; } } app/Helpers/rss_helper.php +3 −9 Original line number Diff line number Diff line Loading @@ -364,22 +364,16 @@ if (! function_exists('get_rss_feed')) { foreach ($episode->persons as $person) { foreach ($person->roles as $role) { $personElement = $item->addChild( 'person', htmlspecialchars($person->full_name), $podcastNamespace, ); $personElement = $item->addChild('person', esc($person->full_name), $podcastNamespace,); $personElement->addAttribute( 'role', htmlspecialchars( lang("PersonsTaxonomy.persons.{$role->group}.roles.{$role->role}.label", [], 'en'), ), esc(lang("PersonsTaxonomy.persons.{$role->group}.roles.{$role->role}.label", [], 'en'),), ); $personElement->addAttribute( 'group', htmlspecialchars(lang("PersonsTaxonomy.persons.{$role->group}.label", [], 'en')), esc(lang("PersonsTaxonomy.persons.{$role->group}.label", [], 'en')), ); $personElement->addAttribute('img', $person->avatar->medium_url); Loading app/Helpers/seo_helper.php +11 −11 Original line number Diff line number Diff line Loading @@ -30,8 +30,8 @@ if (! function_exists('get_podcast_metatags')) { $schema = new Schema( new Thing('PodcastSeries', [ 'name' => esc($podcast->title), 'headline' => esc($podcast->title), 'name' => $podcast->title, 'headline' => $podcast->title, 'url' => current_url(), 'sameAs' => $podcast->link, 'identifier' => $podcast->guid, Loading @@ -39,8 +39,8 @@ if (! function_exists('get_podcast_metatags')) { 'description' => $podcast->description, 'webFeed' => $podcast->feed_url, 'accessMode' => 'auditory', 'author' => esc($podcast->owner_name), 'creator' => esc($podcast->owner_name), 'author' => $podcast->owner_name, 'creator' => $podcast->owner_name, 'publisher' => $podcast->publisher, 'inLanguage' => $podcast->language_code, 'genre' => $category, Loading @@ -50,8 +50,8 @@ if (! function_exists('get_podcast_metatags')) { $metatags = new MetaTags(); $metatags ->title(esc($podcast->title) . ' (@' . esc($podcast->handle) . ') • ' . lang('Podcast.' . $page)) ->description(htmlspecialchars($podcast->description)) ->title($podcast->title . ' (@' . $podcast->handle . ') • ' . lang('Podcast.' . $page)) ->description(esc($podcast->description)) ->image((string) $podcast->cover->og_url) ->canonical((string) current_url()) ->og('image:width', (string) config('Images')->podcastCoverSizes['og']['width']) Loading Loading @@ -80,7 +80,7 @@ if (! function_exists('get_episode_metatags')) { $schema = new Schema( new Thing('PodcastEpisode', [ 'url' => url_to('episode', esc($episode->podcast->handle), $episode->slug), 'name' => esc($episode->title), 'name' => $episode->title, 'image' => $episode->cover->feed_url, 'description' => $episode->description, 'datePublished' => $episode->published_at->format(DATE_ISO8601), Loading @@ -90,7 +90,7 @@ if (! function_exists('get_episode_metatags')) { 'contentUrl' => $episode->audio->file_url, ]), 'partOfSeries' => new Thing('PodcastSeries', [ 'name' => esc($episode->podcast->title), 'name' => $episode->podcast->title, 'url' => $episode->podcast->link, ]), ]) Loading Loading @@ -271,7 +271,7 @@ if (! function_exists('get_home_metatags')) { { $metatags = new MetaTags(); $metatags ->title(esc(service('settings')->get('App.siteName'))) ->title(service('settings')->get('App.siteName')) ->description(esc(service('settings')->get('App.siteDescription'))) ->image(service('settings')->get('App.siteIcon')['512']) ->canonical((string) current_url()) Loading @@ -287,9 +287,9 @@ if (! function_exists('get_page_metatags')) { $metatags = new MetaTags(); $metatags ->title( esc($page->title) . service('settings')->get('App.siteTitleSeparator') . esc(service( $page->title . service('settings')->get('App.siteTitleSeparator') . service( 'settings' )->get('App.siteName')) )->get('App.siteName') ) ->description(esc(service('settings')->get('App.siteDescription'))) ->image(service('settings')->get('App.siteIcon')['512']) Loading app/Resources/js/modules/markdown-preview.ts +10 −1 Original line number Diff line number Diff line Loading @@ -47,11 +47,20 @@ export class MarkdownPreview extends LitElement { return link.replace("<a", "<a target='_blank' rel='noopener noreferrer'"); }; return marked(this._textarea.value, { return marked(this.escapeHtml(this._textarea.value), { renderer: renderer, }); } private escapeHtml = (unsafe: string) => { return unsafe .replaceAll("&", "&") .replaceAll("<", "<") .replaceAll(">", ">") .replaceAll('"', """) .replaceAll("'", "'"); }; static styles = css` * { max-width: 65ch; Loading Loading
app/Controllers/EpisodeController.php +1 −1 Original line number Diff line number Diff line Loading @@ -235,7 +235,7 @@ class EpisodeController extends BaseController $oembed->addChild('thumbnail_height', (string) config('Images')->podcastCoverSizes['og']['height']); $oembed->addChild( 'html', htmlentities( htmlspecialchars( '<iframe src="' . $this->episode->embed_url . '" width="100%" height="' . config('Embed')->height . '" frameborder="0" scrolling="no"></iframe>', Loading
app/Helpers/form_helper.php +43 −0 Original line number Diff line number Diff line Loading @@ -43,3 +43,46 @@ if (! function_exists('form_markdown_textarea')) { . "</textarea>\n"; } } if (! function_exists('parse_form_attributes')) { /** * Parse the form attributes * * Helper function used by some of the form helpers * * @param array<string, string>|string $attributes List of attributes * @param array<string, mixed> $default Default values */ function parse_form_attributes(array|string $attributes, array $default): string { if (is_array($attributes)) { foreach (array_keys($default) as $key) { if (isset($attributes[$key])) { $default[$key] = $attributes[$key]; unset($attributes[$key]); } } if (! empty($attributes)) { $default = array_merge($default, $attributes); } } $att = ''; foreach ($default as $key => $val) { if (! is_bool($val)) { if ($key === 'name' && ! strlen($default['name'])) { continue; } $att .= $key . '="' . $val . '"' . ($key === array_key_last($default) ? '' : ' '); } else { $att .= $key . ' '; } } return $att; } }
app/Helpers/rss_helper.php +3 −9 Original line number Diff line number Diff line Loading @@ -364,22 +364,16 @@ if (! function_exists('get_rss_feed')) { foreach ($episode->persons as $person) { foreach ($person->roles as $role) { $personElement = $item->addChild( 'person', htmlspecialchars($person->full_name), $podcastNamespace, ); $personElement = $item->addChild('person', esc($person->full_name), $podcastNamespace,); $personElement->addAttribute( 'role', htmlspecialchars( lang("PersonsTaxonomy.persons.{$role->group}.roles.{$role->role}.label", [], 'en'), ), esc(lang("PersonsTaxonomy.persons.{$role->group}.roles.{$role->role}.label", [], 'en'),), ); $personElement->addAttribute( 'group', htmlspecialchars(lang("PersonsTaxonomy.persons.{$role->group}.label", [], 'en')), esc(lang("PersonsTaxonomy.persons.{$role->group}.label", [], 'en')), ); $personElement->addAttribute('img', $person->avatar->medium_url); Loading
app/Helpers/seo_helper.php +11 −11 Original line number Diff line number Diff line Loading @@ -30,8 +30,8 @@ if (! function_exists('get_podcast_metatags')) { $schema = new Schema( new Thing('PodcastSeries', [ 'name' => esc($podcast->title), 'headline' => esc($podcast->title), 'name' => $podcast->title, 'headline' => $podcast->title, 'url' => current_url(), 'sameAs' => $podcast->link, 'identifier' => $podcast->guid, Loading @@ -39,8 +39,8 @@ if (! function_exists('get_podcast_metatags')) { 'description' => $podcast->description, 'webFeed' => $podcast->feed_url, 'accessMode' => 'auditory', 'author' => esc($podcast->owner_name), 'creator' => esc($podcast->owner_name), 'author' => $podcast->owner_name, 'creator' => $podcast->owner_name, 'publisher' => $podcast->publisher, 'inLanguage' => $podcast->language_code, 'genre' => $category, Loading @@ -50,8 +50,8 @@ if (! function_exists('get_podcast_metatags')) { $metatags = new MetaTags(); $metatags ->title(esc($podcast->title) . ' (@' . esc($podcast->handle) . ') • ' . lang('Podcast.' . $page)) ->description(htmlspecialchars($podcast->description)) ->title($podcast->title . ' (@' . $podcast->handle . ') • ' . lang('Podcast.' . $page)) ->description(esc($podcast->description)) ->image((string) $podcast->cover->og_url) ->canonical((string) current_url()) ->og('image:width', (string) config('Images')->podcastCoverSizes['og']['width']) Loading Loading @@ -80,7 +80,7 @@ if (! function_exists('get_episode_metatags')) { $schema = new Schema( new Thing('PodcastEpisode', [ 'url' => url_to('episode', esc($episode->podcast->handle), $episode->slug), 'name' => esc($episode->title), 'name' => $episode->title, 'image' => $episode->cover->feed_url, 'description' => $episode->description, 'datePublished' => $episode->published_at->format(DATE_ISO8601), Loading @@ -90,7 +90,7 @@ if (! function_exists('get_episode_metatags')) { 'contentUrl' => $episode->audio->file_url, ]), 'partOfSeries' => new Thing('PodcastSeries', [ 'name' => esc($episode->podcast->title), 'name' => $episode->podcast->title, 'url' => $episode->podcast->link, ]), ]) Loading Loading @@ -271,7 +271,7 @@ if (! function_exists('get_home_metatags')) { { $metatags = new MetaTags(); $metatags ->title(esc(service('settings')->get('App.siteName'))) ->title(service('settings')->get('App.siteName')) ->description(esc(service('settings')->get('App.siteDescription'))) ->image(service('settings')->get('App.siteIcon')['512']) ->canonical((string) current_url()) Loading @@ -287,9 +287,9 @@ if (! function_exists('get_page_metatags')) { $metatags = new MetaTags(); $metatags ->title( esc($page->title) . service('settings')->get('App.siteTitleSeparator') . esc(service( $page->title . service('settings')->get('App.siteTitleSeparator') . service( 'settings' )->get('App.siteName')) )->get('App.siteName') ) ->description(esc(service('settings')->get('App.siteDescription'))) ->image(service('settings')->get('App.siteIcon')['512']) Loading
app/Resources/js/modules/markdown-preview.ts +10 −1 Original line number Diff line number Diff line Loading @@ -47,11 +47,20 @@ export class MarkdownPreview extends LitElement { return link.replace("<a", "<a target='_blank' rel='noopener noreferrer'"); }; return marked(this._textarea.value, { return marked(this.escapeHtml(this._textarea.value), { renderer: renderer, }); } private escapeHtml = (unsafe: string) => { return unsafe .replaceAll("&", "&") .replaceAll("<", "<") .replaceAll(">", ">") .replaceAll('"', """) .replaceAll("'", "'"); }; static styles = css` * { max-width: 65ch; Loading
