From 876d0acb6b8ef23eb304a803c3cef0fc403ff08b Mon Sep 17 00:00:00 2001
From: Flavio Copes <copesc@gmail.com>
Date: Sun, 17 Jan 2016 20:52:05 +0100
Subject: [PATCH] Escape page titles

---
 themes/grav/templates/forms/fields/order/order.html.twig | 2 +-
 themes/grav/templates/pages.html.twig                    | 2 +-
 themes/grav/templates/partials/dashboard-pages.html.twig | 6 +++++-
 3 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/themes/grav/templates/forms/fields/order/order.html.twig b/themes/grav/templates/forms/fields/order/order.html.twig
index 7675912e..aad5b139 100644
--- a/themes/grav/templates/forms/fields/order/order.html.twig
+++ b/themes/grav/templates/forms/fields/order/order.html.twig
@@ -25,7 +25,7 @@
             {% if siblings|length < 200 %}
 				<ul id="ordering" class="{{ field.classes }}">
 			    {% for page in siblings %}
-					<li class="{% if page.order  == value %}drag-handle{% else %}ignore{% endif %}" data-id="{{ page.slug }}">{{ page.title() }}</li>
+					<li class="{% if page.order  == value %}drag-handle{% else %}ignore{% endif %}" data-id="{{ page.slug }}">{{ page.title|e }}</li>
                 {% endfor %}
 				</ul>
 			{% else %}
diff --git a/themes/grav/templates/pages.html.twig b/themes/grav/templates/pages.html.twig
index c803f94e..f508dd59 100644
--- a/themes/grav/templates/pages.html.twig
+++ b/themes/grav/templates/pages.html.twig
@@ -89,7 +89,7 @@
                 <span {{ p.children(0).count > 0 ? 'data-toggle="children"' : ''}} data-hint="{{ description|trim(' &bull; ') }}" class="hint--bottom">
                 <i class="page-icon fa fa-fw fa-circle-o {{ p.children(0).count > 0 ? 'children-closed' : ''}} {{ p.modular ? 'modular' : (not p.routable ? 'not-routable' : (not p.visible ? 'not-visible' : (not p.page ? 'folder' :  ''))) }}"></i>
                 </span>
-                <a href="{{ page_url }}" class="page-edit">{{ p.title }}</a>
+                <a href="{{ page_url }}" class="page-edit">{{ p.title|e }}</a>
 
                 {% if p.language %}
                     <span class="badge lang {% if p.language == admin_lang %}info{% endif %}">{{p.language}}</span>
diff --git a/themes/grav/templates/partials/dashboard-pages.html.twig b/themes/grav/templates/partials/dashboard-pages.html.twig
index 89cd08fe..8838fd8f 100644
--- a/themes/grav/templates/partials/dashboard-pages.html.twig
+++ b/themes/grav/templates/partials/dashboard-pages.html.twig
@@ -6,7 +6,11 @@
         <h1>{{ "PLUGIN_ADMIN.LATEST_PAGE_UPDATES"|tu }}</h1>
         <table>
         {% for latest in admin.latestPages if admin.latestPages %}
-            <tr><td class="double page-title"><a href="{{ base_url }}/pages/{{ latest.route|trim('/') }}"><i class="fa fa-fw fa-file-o"></i> {{ latest.title }}</a></td><td class="double page-route">{{ latest.route }}</td><td><b class="last-modified">{{ latest.modified|nicetime }}</b></td></tr>
+            <tr>
+                <td class="double page-title">
+                    <a href="{{ base_url }}/pages/{{ latest.route|trim('/') }}"><i class="fa fa-fw fa-file-o"></i> {{ latest.title|e }}</a></td><td class="double page-route">{{ latest.route }}</td><td><b class="last-modified">{{ latest.modified|nicetime }}</b>
+                </td>
+            </tr>
         {% endfor %}
         </table>
     </div>

{{ latest.title }}	{{ latest.route }}	{{ latest.modified\|nicetime }}
+ {{ latest.title\|e }}	{{ latest.route }}	{{ latest.modified\|nicetime }} +