From 558959d4d7dcceff000fd5861f2f46451ebbd8a9 Mon Sep 17 00:00:00 2001
From: "David T. Sadler" <davidtsadler@googlemail.com>
Date: Mon, 1 Nov 2021 21:24:31 +0000
Subject: Ensure html is escaped

---
 src/templates/confirm_deletion.php | 2 +-
 src/templates/form_fields.php      | 6 +++---
 src/templates/index.php            | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/templates/confirm_deletion.php b/src/templates/confirm_deletion.php
index 0a800e5..06e133f 100644
--- a/src/templates/confirm_deletion.php
+++ b/src/templates/confirm_deletion.php
@@ -9,7 +9,7 @@
         <a href="/">Back</a>
         <form action="/delete" method="POST">
             <input type="hidden" name="id" value="<?php echo $bookmark->id; ?>"/>
-            <?php echo $bookmark->url.' '.$bookmark->title.' '.$bookmark->tag; ?>
+            <?php echo htmlentities($bookmark->url.' '.$bookmark->title.' '.$bookmark->tag); ?>
             <button type="submit">Delete</button>
         </form>
     </body>
diff --git a/src/templates/form_fields.php b/src/templates/form_fields.php
index cfacfda..3f54040 100644
--- a/src/templates/form_fields.php
+++ b/src/templates/form_fields.php
@@ -1,12 +1,12 @@
-<input type="text" name="url" maxlength="512" value="<?php echo $old->get('url', $bookmark->url); ?>" autofocus><br>
+<input type="text" name="url" maxlength="512" value="<?php echo htmlspecialchars($old->get('url', $bookmark->url)); ?>" autofocus><br>
 <?php if ($errors->has('url')) { ?>
     <p><?php echo implode(', ', $errors->get('url')); ?></p>
 <?php } ?>
-<input type="text" name="title" maxlength="256" value="<?php echo $old->get('title', $bookmark->title); ?>"><br>
+<input type="text" name="title" maxlength="256" value="<?php echo htmlspecialchars($old->get('title', $bookmark->title)); ?>"><br>
 <?php if ($errors->has('title')) { ?>
     <p><?php echo implode(', ', $errors->get('title')); ?></p>
 <?php } ?>
-<input type="text" name="tag" maxlength="8" value="<?php echo $old->get('tag', $bookmark->tag); ?>"><br>
+<input type="text" name="tag" maxlength="8" value="<?php echo htmlspecialchars($old->get('tag', $bookmark->tag)); ?>"><br>
 <?php if ($errors->has('tag')) { ?>
     <p><?php echo implode(', ', $errors->get('tag')); ?></p>
 <?php } ?>
diff --git a/src/templates/index.php b/src/templates/index.php
index d246605..4f76614 100644
--- a/src/templates/index.php
+++ b/src/templates/index.php
@@ -12,7 +12,7 @@
         <a href="/create">Add</a>
         <ul>
             <?php foreach ($bookmarks as $bookmark) { ?>
-                <li><a href="<?php echo $bookmark->url; ?>"><?php echo $bookmark->title != '' ? $bookmark->title : $bookmark->url; ?></a> <a href="/edit?id=<?php echo $bookmark->id; ?>">Edit</a> | <a href="/delete/confirm?id=<?php echo $bookmark->id; ?>">Delete</a></li>
+                <li><a href="<?php echo htmlentities($bookmark->url); ?>"><?php echo $bookmark->title != '' ? htmlentities($bookmark->title) : htmlentities($bookmark->url); ?></a> <a href="/edit?id=<?php echo $bookmark->id; ?>">Edit</a> | <a href="/delete/confirm?id=<?php echo $bookmark->id; ?>">Delete</a></li>
             <?php } ?>
         </ul>
     </body>
-- 
cgit v1.2.3-13-gbd6f