From fa8e77c1302647455939e87b4b6beb05924e546b Mon Sep 17 00:00:00 2001
From: Hanno <hanno@gentoo.org>
Date: Tue, 17 Sep 2019 19:40:34 +0200
Subject: [PATCH] Escape category images to avoid backend XSS

---
 templates/2k11/entries.tpl        | 2 +-
 templates/bootstrap4/entries.tpl  | 2 +-
 templates/bulletproof/entries.tpl | 2 +-
 templates/clean-blog/entries.tpl  | 2 +-
 templates/competition/entries.tpl | 2 +-
 templates/contest/entries.tpl     | 2 +-
 templates/default/entries.tpl     | 2 +-
 templates/skeleton/entries.tpl    | 2 +-
 templates/timeline/entries.tpl    | 2 +-
 9 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/templates/2k11/entries.tpl b/templates/2k11/entries.tpl
index 8c89b56e..592df35e 100644
--- a/templates/2k11/entries.tpl
+++ b/templates/2k11/entries.tpl
@@ -10,7 +10,7 @@
         </header>
 
         <div class="clearfix content serendipity_entry_body">
-        {if $entry.categories}{foreach from=$entry.categories item="entry_category"}{if $entry_category.category_icon}<a href="{$entry_category.category_link}"><img class="serendipity_entryIcon" title="{$entry_category.category_name|escape}{$entry_category.category_description|@emptyPrefix}" alt="{$entry_category.category_name|escape}" src="{$entry_category.category_icon}"></a>{/if}{/foreach}{/if}
+        {if $entry.categories}{foreach from=$entry.categories item="entry_category"}{if $entry_category.category_icon}<a href="{$entry_category.category_link}"><img class="serendipity_entryIcon" title="{$entry_category.category_name|escape}{$entry_category.category_description|@emptyPrefix}" alt="{$entry_category.category_name|escape}" src="{$entry_category.category_icon|escape}"></a>{/if}{/foreach}{/if}
         {$entry.body}
         {if $entry.has_extended and not $is_single_entry and not $entry.is_extended}
         <a class="read_more block_level" href="{$entry.link}#extended">{$CONST.VIEW_EXTENDED_ENTRY|@sprintf:$entry.title}</a>
diff --git a/templates/bootstrap4/entries.tpl b/templates/bootstrap4/entries.tpl
index 5224f883..97cc85d0 100644
--- a/templates/bootstrap4/entries.tpl
+++ b/templates/bootstrap4/entries.tpl
@@ -13,7 +13,7 @@
         </header>
 
         <div class="post_content clearfix">
-        {if $entry.categories}{foreach from=$entry.categories item="entry_category"}{if $entry_category.category_icon}<a href="{$entry_category.category_link}"><img class="serendipity_entryIcon" title="{$entry_category.category_name|escape}{$entry_category.category_description|emptyPrefix}" alt="{$entry_category.category_name|escape}" src="{$entry_category.category_icon}"></a>{/if}{/foreach}{/if}
+        {if $entry.categories}{foreach from=$entry.categories item="entry_category"}{if $entry_category.category_icon}<a href="{$entry_category.category_link}"><img class="serendipity_entryIcon" title="{$entry_category.category_name|escape}{$entry_category.category_description|emptyPrefix}" alt="{$entry_category.category_name|escape}" src="{$entry_category.category_icon|escape}"></a>{/if}{/foreach}{/if}
         {$entry.body}
         {if $entry.has_extended and not $is_single_entry and not $entry.is_extended}
         <a class="post_more btn btn-outline-primary btn-sm d-inline-block mb-3" href="{$entry.link}#extended">{$CONST.VIEW_EXTENDED_ENTRY|sprintf:$entry.title}</a>
diff --git a/templates/bulletproof/entries.tpl b/templates/bulletproof/entries.tpl
index 5a8a70a7..42c74ddb 100644
--- a/templates/bulletproof/entries.tpl
+++ b/templates/bulletproof/entries.tpl
@@ -126,7 +126,7 @@
                 <span class="serendipity_entryIcon">
                     {foreach from=$entry.categories item="entry_category"}
                         {if $entry_category.category_icon}
-                            <a href="{$entry_category.category_link}"><img class="serendipity_entryIcon" title="{$entry_category.category_name|@escape}{$entry_category.category_description|@emptyPrefix}" alt="{$entry_category.category_name|@escape}" src="{$entry_category.category_icon}" /></a>
+                            <a href="{$entry_category.category_link}"><img class="serendipity_entryIcon" title="{$entry_category.category_name|@escape}{$entry_category.category_description|@emptyPrefix}" alt="{$entry_category.category_name|@escape}" src="{$entry_category.category_icon|escape}" /></a>
                         {/if}
                     {/foreach}
                </span>
diff --git a/templates/clean-blog/entries.tpl b/templates/clean-blog/entries.tpl
index 20d6fa54..99f36689 100644
--- a/templates/clean-blog/entries.tpl
+++ b/templates/clean-blog/entries.tpl
@@ -16,7 +16,7 @@
     {if $template_option.entrybody_detailed_only != true || $entry.is_extended || $is_single_entry || $is_preview}
         <section id="entry">
             <div class="content serendipity_entry_body clearfix">
-                {if $entry.categories}{foreach from=$entry.categories item="entry_category"}{if $entry_category.category_icon}<a href="{$entry_category.category_link}"><img class="serendipity_entryIcon" title="{$entry_category.category_name|@escape}{$entry_category.category_description|@emptyPrefix}" alt="{$entry_category.category_name|@escape}" src="{$entry_category.category_icon}"></a>{/if}{/foreach}{/if}
+                {if $entry.categories}{foreach from=$entry.categories item="entry_category"}{if $entry_category.category_icon}<a href="{$entry_category.category_link}"><img class="serendipity_entryIcon" title="{$entry_category.category_name|@escape}{$entry_category.category_description|@emptyPrefix}" alt="{$entry_category.category_name|@escape}" src="{$entry_category.category_icon|escape}"></a>{/if}{/foreach}{/if}
                 {$entry.body}
                 {if $entry.has_extended and not $is_single_entry and not $entry.is_extended}
                     <a class="read_more" href="{$entry.link}#extended"><button class="btn btn-md btn-default pull-right">{$CONST.READ_MORE} <i class="fa fa-arrow-right" aria-hidden="true"></i></button></a>
diff --git a/templates/competition/entries.tpl b/templates/competition/entries.tpl
index 7e593bae..06ec6a04 100644
--- a/templates/competition/entries.tpl
+++ b/templates/competition/entries.tpl
@@ -20,7 +20,7 @@
             <span class="serendipity_entryIcon">
             {foreach from=$entry.categories item="entry_category"}
                 {if $entry_category.category_icon}
-                    <a href="{$entry_category.category_link}"><img class="serendipity_entryIcon" title="{$entry_category.category_name|@escape}{$entry_category.category_description|@emptyPrefix}" alt="{$entry_category.category_name|@escape}" src="{$entry_category.category_icon}" /></a>
+                    <a href="{$entry_category.category_link}"><img class="serendipity_entryIcon" title="{$entry_category.category_name|@escape}{$entry_category.category_description|@emptyPrefix}" alt="{$entry_category.category_name|@escape}" src="{$entry_category.category_icon|escape}" /></a>
                 {/if}
             {/foreach}
             </span>
diff --git a/templates/contest/entries.tpl b/templates/contest/entries.tpl
index de780eee..f316905b 100644
--- a/templates/contest/entries.tpl
+++ b/templates/contest/entries.tpl
@@ -56,7 +56,7 @@
             <span class="serendipity_entryIcon">
             {foreach from=$entry.categories item="entry_category"}
                 {if $entry_category.category_icon}
-                    <a href="{$entry_category.category_link}"><img class="serendipity_entryIcon" title="{$entry_category.category_name|@escape}{$entry_category.category_description|@emptyPrefix}" alt="{$entry_category.category_name|@escape}" src="{$entry_category.category_icon}" /></a>
+                    <a href="{$entry_category.category_link}"><img class="serendipity_entryIcon" title="{$entry_category.category_name|@escape}{$entry_category.category_description|@emptyPrefix}" alt="{$entry_category.category_name|@escape}" src="{$entry_category.category_icon|escape}" /></a>
                 {/if}
             {/foreach}
             </span>
diff --git a/templates/default/entries.tpl b/templates/default/entries.tpl
index 7962bb1d..7354a2b4 100644
--- a/templates/default/entries.tpl
+++ b/templates/default/entries.tpl
@@ -19,7 +19,7 @@
             <span class="serendipity_entryIcon">
             {foreach from=$entry.categories item="entry_category"}
                 {if $entry_category.category_icon}
-                    <a href="{$entry_category.category_link}"><img class="serendipity_entryIcon" title="{$entry_category.category_name|@escape}{$entry_category.category_description|@emptyPrefix}" alt="{$entry_category.category_name|@escape}" src="{$entry_category.category_icon}" /></a>
+                    <a href="{$entry_category.category_link}"><img class="serendipity_entryIcon" title="{$entry_category.category_name|@escape}{$entry_category.category_description|@emptyPrefix}" alt="{$entry_category.category_name|@escape}" src="{$entry_category.category_icon|escape}" /></a>
                 {/if}
             {/foreach}
             </span>
diff --git a/templates/skeleton/entries.tpl b/templates/skeleton/entries.tpl
index 8001b3c6..dfb62f28 100644
--- a/templates/skeleton/entries.tpl
+++ b/templates/skeleton/entries.tpl
@@ -10,7 +10,7 @@
         </header>
 
         <div class="post_content">
-        {if $entry.categories}{foreach from=$entry.categories item="entry_category"}{if $entry_category.category_icon}<a href="{$entry_category.category_link}"><img class="serendipity_entryIcon" title="{$entry_category.category_name|escape}{$entry_category.category_description|emptyPrefix}" alt="{$entry_category.category_name|escape}" src="{$entry_category.category_icon}"></a>{/if}{/foreach}{/if}
+        {if $entry.categories}{foreach from=$entry.categories item="entry_category"}{if $entry_category.category_icon}<a href="{$entry_category.category_link}"><img class="serendipity_entryIcon" title="{$entry_category.category_name|escape}{$entry_category.category_description|emptyPrefix}" alt="{$entry_category.category_name|escape}" src="{$entry_category.category_icon|escape}"></a>{/if}{/foreach}{/if}
         {$entry.body}
         {if $entry.has_extended and not $is_single_entry and not $entry.is_extended}
         <a class="button read_more" href="{$entry.link}#extended">{$CONST.VIEW_EXTENDED_ENTRY|sprintf:$entry.title}</a>
diff --git a/templates/timeline/entries.tpl b/templates/timeline/entries.tpl
index dcb2ce06..9b490bfa 100644
--- a/templates/timeline/entries.tpl
+++ b/templates/timeline/entries.tpl
@@ -92,7 +92,7 @@
                     {/if}
                 {/if}
                 <div class="serendipity_entry_body clearfix">            
-                    {if $entry.categories}{foreach from=$entry.categories item="entry_category"}{if $entry_category.category_icon}<a href="{$entry_category.category_link}"><img class="serendipity_entryIcon" title="{$entry_category.category_name|@escape}{$entry_category.category_description|@emptyPrefix}" alt="{$entry_category.category_name|@escape}" src="{$entry_category.category_icon}"></a>{/if}{/foreach}{/if}
+                    {if $entry.categories}{foreach from=$entry.categories item="entry_category"}{if $entry_category.category_icon}<a href="{$entry_category.category_link}"><img class="serendipity_entryIcon" title="{$entry_category.category_name|@escape}{$entry_category.category_description|@emptyPrefix}" alt="{$entry_category.category_name|@escape}" src="{$entry_category.category_icon|escape}"></a>{/if}{/foreach}{/if}
                     {$entry.body}
                 </div>
                 {if $entry.is_extended}