You've already forked wp-bootstrap
security: add |esc_url to all template URLs, register escape Twig filters (v1.1.3)
5th OWASP Top-10 pass: added |esc_url filter to all unescaped URL outputs across 8 Twig template partials (headers, footers, search, comments). Registered esc_html, esc_attr, esc_url as Twig filters with is_safe option. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,7 +1,7 @@
|
||||
<header class="position-absolute w-100" style="z-index: 1030;">
|
||||
<nav class="navbar navbar-expand-lg navbar-dark" aria-label="{{ __('Primary navigation') }}">
|
||||
<div class="container">
|
||||
<a class="navbar-brand fw-bold" href="{{ site.url }}">
|
||||
<a class="navbar-brand fw-bold" href="{{ site.url|esc_url }}">
|
||||
{{ site.name }}
|
||||
</a>
|
||||
|
||||
@@ -18,7 +18,7 @@
|
||||
{% if item.children|length > 0 %}
|
||||
<li class="nav-item dropdown">
|
||||
<a class="nav-link dropdown-toggle{{ item.active ? ' active' : '' }}"
|
||||
href="{{ item.url }}" role="button"
|
||||
href="{{ item.url|esc_url }}" role="button"
|
||||
data-bs-toggle="dropdown" aria-expanded="false">
|
||||
{{ item.title }}
|
||||
</a>
|
||||
@@ -26,7 +26,7 @@
|
||||
{% for child in item.children %}
|
||||
<li>
|
||||
<a class="dropdown-item{{ child.active ? ' active' : '' }}"
|
||||
href="{{ child.url }}"
|
||||
href="{{ child.url|esc_url }}"
|
||||
{% if child.active %}aria-current="page"{% endif %}
|
||||
{% if child.target %}target="{{ child.target }}"{% endif %}>
|
||||
{{ child.title }}
|
||||
@@ -38,7 +38,7 @@
|
||||
{% else %}
|
||||
<li class="nav-item">
|
||||
<a class="nav-link{{ item.active ? ' active' : '' }}"
|
||||
href="{{ item.url }}"
|
||||
href="{{ item.url|esc_url }}"
|
||||
{% if item.active %}aria-current="page"{% endif %}
|
||||
{% if item.target %}target="{{ item.target }}"{% endif %}>
|
||||
{{ item.title }}
|
||||
|
||||
Reference in New Issue
Block a user