Fix two XSS vulnerabilities.

The title in the OpenGraph header was not being properly escaped, and the hide pins/all pins links were using single quotes which were able to be broken out of. Also remove the single quotes around rss_feed_uri, though this is not a vulnerability as its contents were sanitised (postcode or co-ords).
author: Matthew Somerville <matthew-github@dracos.co.uk> 2016-07-06 12:16:33 +0100
committer: Matthew Somerville <matthew-github@dracos.co.uk> 2016-07-06 16:25:52 +0100
commit: c9dc13d3c966abc11203bfb18404d8a40e795b3b (patch)
tree: c28d9b67c488bbd91fd2db58c339054455915665 /templates/web/base/header_opengraph.html
parent: a060d03f36275f1fae1c041cca813bddeef6287c (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/templates/web/base/header_opengraph.html b/templates/web/base/header_opengraph.html
index f728d083f..6b2c8ff46 100644
--- a/templates/web/base/header_opengraph.html
+++ b/templates/web/base/header_opengraph.html
@@ -1,5 +1,5 @@
         <meta property="og:url" content="[% c.cobrand.base_url %][% c.req.uri.path %]">
-        <meta property="og:title" content="[% title || site_name %]">
+        <meta property="og:title" content="[% title || site_name | html %]">
         <meta property="og:site_name" content="[% site_name %]">
         [% IF c.req.uri.path == '/' %]<meta property="og:description" content="Report, view, and discuss local street-related problems.">[% END %]
         <meta property="og:type" content="website">
author	Matthew Somerville <matthew-github@dracos.co.uk>	2016-07-06 12:16:33 +0100
committer	Matthew Somerville <matthew-github@dracos.co.uk>	2016-07-06 16:25:52 +0100
commit	c9dc13d3c966abc11203bfb18404d8a40e795b3b (patch)
tree	c28d9b67c488bbd91fd2db58c339054455915665 /templates/web/base/header_opengraph.html
parent	a060d03f36275f1fae1c041cca813bddeef6287c (diff)