diff options
| author | mastihios <91783447+mastihios@users.noreply.github.com> | 2021-10-11 20:35:07 +0000 |
|---|---|---|
| committer | Samantaz Fox <coding@samantaz.fr> | 2022-02-03 01:47:18 +0100 |
| commit | cb0f7bf6b0ae8427e7ef96e9eacfcff79c28232d (patch) | |
| tree | 028f7c41a44b70ef4875e5f18873f8ace8f9f47b /src | |
| parent | 0ca333715b06689f3120c136dfeab493f30bf867 (diff) | |
| download | invidious-cb0f7bf6b0ae8427e7ef96e9eacfcff79c28232d.tar.gz invidious-cb0f7bf6b0ae8427e7ef96e9eacfcff79c28232d.tar.bz2 invidious-cb0f7bf6b0ae8427e7ef96e9eacfcff79c28232d.zip | |
Change <input value="..."> encoding to HTML.escape
Diffstat (limited to 'src')
| -rw-r--r-- | src/invidious/views/authorize_token.ecr | 2 | ||||
| -rw-r--r-- | src/invidious/views/change_password.ecr | 2 | ||||
| -rw-r--r-- | src/invidious/views/clear_watch_history.ecr | 2 | ||||
| -rw-r--r-- | src/invidious/views/components/item.ecr | 6 | ||||
| -rw-r--r-- | src/invidious/views/components/subscribe_widget.ecr | 4 | ||||
| -rw-r--r-- | src/invidious/views/create_playlist.ecr | 2 | ||||
| -rw-r--r-- | src/invidious/views/delete_account.ecr | 2 | ||||
| -rw-r--r-- | src/invidious/views/delete_playlist.ecr | 2 | ||||
| -rw-r--r-- | src/invidious/views/edit_playlist.ecr | 2 | ||||
| -rw-r--r-- | src/invidious/views/login.ecr | 4 | ||||
| -rw-r--r-- | src/invidious/views/subscription_manager.ecr | 2 | ||||
| -rw-r--r-- | src/invidious/views/template.ecr | 2 | ||||
| -rw-r--r-- | src/invidious/views/token_manager.ecr | 2 |
13 files changed, 17 insertions, 17 deletions
diff --git a/src/invidious/views/authorize_token.ecr b/src/invidious/views/authorize_token.ecr index 2dc948d9..725f392e 100644 --- a/src/invidious/views/authorize_token.ecr +++ b/src/invidious/views/authorize_token.ecr @@ -72,7 +72,7 @@ <input type="hidden" name="expire" value="<%= expire %>"> <% end %> - <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(csrf_token) %>"> + <input type="hidden" name="csrf_token" value="<%= HTML.escape(csrf_token) %>"> </form> </div> <% end %> diff --git a/src/invidious/views/change_password.ecr b/src/invidious/views/change_password.ecr index fb558f1d..1b9eb82e 100644 --- a/src/invidious/views/change_password.ecr +++ b/src/invidious/views/change_password.ecr @@ -23,7 +23,7 @@ <%= translate(locale, "Change password") %> </button> - <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(csrf_token) %>"> + <input type="hidden" name="csrf_token" value="<%= HTML.escape(csrf_token) %>"> </fieldset> </form> </div> diff --git a/src/invidious/views/clear_watch_history.ecr b/src/invidious/views/clear_watch_history.ecr index 5f9d1032..c9acbe44 100644 --- a/src/invidious/views/clear_watch_history.ecr +++ b/src/invidious/views/clear_watch_history.ecr @@ -19,6 +19,6 @@ </div> </div> - <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(csrf_token) %>"> + <input type="hidden" name="csrf_token" value="<%= HTML.escape(csrf_token) %>"> </form> </div> diff --git a/src/invidious/views/components/item.ecr b/src/invidious/views/components/item.ecr index 5a93d802..5f8bde13 100644 --- a/src/invidious/views/components/item.ecr +++ b/src/invidious/views/components/item.ecr @@ -54,7 +54,7 @@ <img loading="lazy" class="thumbnail" src="/vi/<%= item.id %>/mqdefault.jpg"/> <% if plid = env.get?("remove_playlist_items") %> <form data-onsubmit="return_false" action="/playlist_ajax?action_remove_video=1&set_video_id=<%= item.index %>&playlist_id=<%= plid %>&referer=<%= env.get("current_page") %>" method="post"> - <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>"> + <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>"> <p class="watched"> <a data-onclick="remove_playlist_item" data-index="<%= item.index %>" data-plid="<%= plid %>" href="javascript:void(0)"> <button type="submit" style="all:unset"> @@ -106,7 +106,7 @@ <img loading="lazy" class="thumbnail" src="/vi/<%= item.id %>/mqdefault.jpg"/> <% if env.get? "show_watched" %> <form data-onsubmit="return_false" action="/watch_ajax?action_mark_watched=1&id=<%= item.id %>&referer=<%= env.get("current_page") %>" method="post"> - <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>"> + <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>"> <p class="watched"> <a data-onclick="mark_watched" data-id="<%= item.id %>" href="javascript:void(0)"> <button type="submit" style="all:unset"> @@ -119,7 +119,7 @@ </form> <% elsif plid = env.get? "add_playlist_items" %> <form data-onsubmit="return_false" action="/playlist_ajax?action_add_video=1&video_id=<%= item.id %>&playlist_id=<%= plid %>&referer=<%= env.get("current_page") %>" method="post"> - <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>"> + <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>"> <p class="watched"> <a data-onclick="add_playlist_item" data-id="<%= item.id %>" data-plid="<%= plid %>" href="javascript:void(0)"> <button type="submit" style="all:unset"> diff --git a/src/invidious/views/components/subscribe_widget.ecr b/src/invidious/views/components/subscribe_widget.ecr index ac2fbf1d..b9d5f783 100644 --- a/src/invidious/views/components/subscribe_widget.ecr +++ b/src/invidious/views/components/subscribe_widget.ecr @@ -2,7 +2,7 @@ <% if subscriptions.includes? ucid %> <p> <form action="/subscription_ajax?action_remove_subscriptions=1&c=<%= ucid %>&referer=<%= env.get("current_page") %>" method="post"> - <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>"> + <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>"> <button data-type="unsubscribe" id="subscribe" class="pure-button pure-button-primary"> <b><input style="all:unset" type="submit" value="<%= translate(locale, "Unsubscribe") %> | <%= sub_count_text %>"></b> </button> @@ -11,7 +11,7 @@ <% else %> <p> <form action="/subscription_ajax?action_create_subscription_to_channel=1&c=<%= ucid %>&referer=<%= env.get("current_page") %>" method="post"> - <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>"> + <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>"> <button data-type="subscribe" id="subscribe" class="pure-button pure-button-primary"> <b><input style="all:unset" type="submit" value="<%= translate(locale, "Subscribe") %> | <%= sub_count_text %>"></b> </button> diff --git a/src/invidious/views/create_playlist.ecr b/src/invidious/views/create_playlist.ecr index 14f3673e..807244e6 100644 --- a/src/invidious/views/create_playlist.ecr +++ b/src/invidious/views/create_playlist.ecr @@ -30,7 +30,7 @@ </button> </div> - <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(csrf_token) %>"> + <input type="hidden" name="csrf_token" value="<%= HTML.escape(csrf_token) %>"> </fieldset> </form> </div> diff --git a/src/invidious/views/delete_account.ecr b/src/invidious/views/delete_account.ecr index 9103d5b7..67351bbf 100644 --- a/src/invidious/views/delete_account.ecr +++ b/src/invidious/views/delete_account.ecr @@ -19,6 +19,6 @@ </div> </div> - <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(csrf_token) %>"> + <input type="hidden" name="csrf_token" value="<%= HTML.escape(csrf_token) %>"> </form> </div> diff --git a/src/invidious/views/delete_playlist.ecr b/src/invidious/views/delete_playlist.ecr index 480e36f4..cd66b963 100644 --- a/src/invidious/views/delete_playlist.ecr +++ b/src/invidious/views/delete_playlist.ecr @@ -19,6 +19,6 @@ </div> </div> - <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(csrf_token) %>"> + <input type="hidden" name="csrf_token" value="<%= HTML.escape(csrf_token) %>"> </form> </div> diff --git a/src/invidious/views/edit_playlist.ecr b/src/invidious/views/edit_playlist.ecr index 308bd677..89819ef0 100644 --- a/src/invidious/views/edit_playlist.ecr +++ b/src/invidious/views/edit_playlist.ecr @@ -41,7 +41,7 @@ <div class="h-box"> <textarea maxlength="5000" name="description" style="margin-top:10px;max-width:100%;height:20vh" class="pure-input-1"><%= playlist.description %></textarea> </div> - <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(csrf_token) %>"> + <input type="hidden" name="csrf_token" value="<%= HTML.escape(csrf_token) %>"> </form> <% if playlist.is_a?(InvidiousPlaylist) && playlist.author == user.try &.email %> diff --git a/src/invidious/views/login.ecr b/src/invidious/views/login.ecr index e2963e9f..01d7a210 100644 --- a/src/invidious/views/login.ecr +++ b/src/invidious/views/login.ecr @@ -66,7 +66,7 @@ <% captcha = captcha.not_nil! %> <img style="width:50%" src='<%= captcha[:question] %>'/> <% captcha[:tokens].each_with_index do |token, i| %> - <input type="hidden" name="token[<%= i %>]" value="<%= URI.encode_www_form(token) %>"> + <input type="hidden" name="token[<%= i %>]" value="<%= HTML.escape(token) %>"> <% end %> <input type="hidden" name="captcha_type" value="image"> <label for="answer"><%= translate(locale, "Time (h:mm:ss):") %></label> @@ -74,7 +74,7 @@ <% else # "text" %> <% captcha = captcha.not_nil! %> <% captcha[:tokens].each_with_index do |token, i| %> - <input type="hidden" name="token[<%= i %>]" value="<%= URI.encode_www_form(token) %>"> + <input type="hidden" name="token[<%= i %>]" value="<%= HTML.escape(token) %>"> <% end %> <input type="hidden" name="captcha_type" value="text"> <label for="answer"><%= captcha[:question] %></label> diff --git a/src/invidious/views/subscription_manager.ecr b/src/invidious/views/subscription_manager.ecr index 5fa7d203..c2a89ca2 100644 --- a/src/invidious/views/subscription_manager.ecr +++ b/src/invidious/views/subscription_manager.ecr @@ -38,7 +38,7 @@ <div class="pure-u-1-5" style="text-align:right"> <h3 style="padding-right:0.5em"> <form data-onsubmit="return_false" action="/subscription_ajax?action_remove_subscriptions=1&c=<%= channel.id %>&referer=<%= env.get("current_page") %>" method="post"> - <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>"> + <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>"> <a data-onclick="remove_subscription" data-ucid="<%= channel.id %>" href="#"> <input style="all:unset" type="submit" value="<%= translate(locale, "unsubscribe") %>"> </a> diff --git a/src/invidious/views/template.ecr b/src/invidious/views/template.ecr index 240b523a..92df1272 100644 --- a/src/invidious/views/template.ecr +++ b/src/invidious/views/template.ecr @@ -72,7 +72,7 @@ <% end %> <div class="pure-u-1-4"> <form action="/signout?referer=<%= env.get?("current_page") %>" method="post"> - <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>"> + <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>"> <a class="pure-menu-heading" href="#"> <input style="all:unset" type="submit" value="<%= translate(locale, "Log out") %>"> </a> diff --git a/src/invidious/views/token_manager.ecr b/src/invidious/views/token_manager.ecr index 12e0e8c9..79f905a1 100644 --- a/src/invidious/views/token_manager.ecr +++ b/src/invidious/views/token_manager.ecr @@ -30,7 +30,7 @@ <div class="pure-u-1-5" style="text-align:right"> <h3 style="padding-right:0.5em"> <form data-onsubmit="return_false" action="/token_ajax?action_revoke_token=1&session=<%= token[:session] %>&referer=<%= env.get("current_page") %>" method="post"> - <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>"> + <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>"> <a data-onclick="revoke_token" data-session="<%= token[:session] %>" href="#"> <input style="all:unset" type="submit" value="<%= translate(locale, "revoke") %>"> </a> |