Fix two XSS vulnerabilities.

The title in the OpenGraph header was not being properly escaped, and the hide pins/all pins links were using single quotes which were able to be broken out of. Also remove the single quotes around rss_feed_uri, though this is not a vulnerability as its contents were sanitised (postcode or co-ords).
author: Matthew Somerville <matthew-github@dracos.co.uk> 2016-07-06 12:16:33 +0100
committer: Matthew Somerville <matthew-github@dracos.co.uk> 2016-07-06 16:24:18 +0100
commit: e57204c2676664a2d6551a7f2c859d722646b28c (patch)
tree: 4807bb18ff1fdf924e7e8f3d0240e05a701fec50 /templates/web/base/header_opengraph.html
parent: 738b56a6b7d0a8ca93f78406054a7c9edae85fc3 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/templates/web/base/header_opengraph.html b/templates/web/base/header_opengraph.html
index f728d083f..6b2c8ff46 100644
--- a/templates/web/base/header_opengraph.html
+++ b/templates/web/base/header_opengraph.html
@@ -1,5 +1,5 @@
         <meta property="og:url" content="[% c.cobrand.base_url %][% c.req.uri.path %]">
-        <meta property="og:title" content="[% title || site_name %]">
+        <meta property="og:title" content="[% title || site_name | html %]">
         <meta property="og:site_name" content="[% site_name %]">
         [% IF c.req.uri.path == '/' %]<meta property="og:description" content="Report, view, and discuss local street-related problems.">[% END %]
         <meta property="og:type" content="website">
author	Matthew Somerville <matthew-github@dracos.co.uk>	2016-07-06 12:16:33 +0100
committer	Matthew Somerville <matthew-github@dracos.co.uk>	2016-07-06 16:24:18 +0100
commit	e57204c2676664a2d6551a7f2c859d722646b28c (patch)
tree	4807bb18ff1fdf924e7e8f3d0240e05a701fec50 /templates/web/base/header_opengraph.html
parent	738b56a6b7d0a8ca93f78406054a7c9edae85fc3 (diff)