correctly escape titles subtitles and excerpts in all contexts; fixes #856

2021-10-10 06:20:54 +00:00 · 2021-10-10 06:20:54 +00:00 · 505305ebe7
commit 505305ebe7
parent 24e182b90e
10 changed files with 23 additions and 22 deletions
--- a/_layouts/home.html
+++ b/_layouts/home.html
@ -35,11 +35,11 @@ layout: page
    {% endif %}

    <a href="{{ post.url | absolute_url }}">
-      <h2 class="post-title">{{ post.title }}</h2>
+      <h2 class="post-title">{{ post.title | strip_html }}</h2>

      {% if post.subtitle %}
        <h3 class="post-subtitle">
-        {{ post.subtitle }}
+        {{ post.subtitle | strip_html }}
        </h3>
      {% endif %}
    </a>
@ -68,7 +68,7 @@ layout: page

    <div class="post-entry">
      {% assign excerpt_length = site.excerpt_length | default: 50 %}
-      {{ post.excerpt | strip_html | xml_escape | truncatewords: excerpt_length }}
+      {{ post.excerpt | strip_html | truncatewords: excerpt_length }}
      {% assign excerpt_word_count = post.excerpt | number_of_words %}
      {% if post.content != post.excerpt or excerpt_word_count > excerpt_length %}
        <a href="{{ post.url | absolute_url }}" class="post-read-more">[Read&nbsp;More]</a>
--- a/_layouts/post.html
+++ b/_layouts/post.html
@ -67,12 +67,12 @@ layout: base
      <ul class="pagination blog-pager">
        {% if page.previous.url %}
        <li class="page-item previous">
-          <a class="page-link" href="{{ page.previous.url | relative_url }}" data-toggle="tooltip" data-placement="top" title="{{page.previous.title}}">&larr; Previous Post</a>
+          <a class="page-link" href="{{ page.previous.url | relative_url }}" data-toggle="tooltip" data-placement="top" title="{{page.previous.title | strip_html | xml_escape}}">&larr; Previous Post</a>
        </li>
        {% endif %}
        {% if page.next.url %}
        <li class="page-item next">
-          <a class="page-link" href="{{ page.next.url | relative_url }}" data-toggle="tooltip" data-placement="top" title="{{page.next.title}}">Next Post &rarr;</a>
+          <a class="page-link" href="{{ page.next.url | relative_url }}" data-toggle="tooltip" data-placement="top" title="{{page.next.title | strip_html | xml_escape}}">Next Post &rarr;</a>
        </li>
        {% endif %}
      </ul>