Additional HTML escaping for titles and metadata (#5276)

2025-07-11 03:43:17 +02:00 · 2025-07-11 03:43:17 +02:00 · 36271d15f5
commit 36271d15f5
parent 0ce3ef6bd8
4 changed files with 9 additions and 7 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,7 @@
 # Changelog
 - Add HTML escaping for some titles, labels and metada that was missing.
 ## [4.27.1](https://github.com/mmistakes/minimal-mistakes/releases/tag/4.27.1)
 ### Enhancements
--- a/_includes/footer.html
+++ b/_includes/footer.html
@ -7,7 +7,7 @@
    {% if site.footer.links %}
      {% for link in site.footer.links %}
        {% if link.label and link.url %}
-          <li><a href="{{ link.url }}" rel="nofollow noopener noreferrer"><i class="{{ link.icon | default: 'fas fa-link' }}" aria-hidden="true"></i> {{ link.label }}</a></li>
+          <li><a href="{{ link.url }}" rel="nofollow noopener noreferrer"><i class="{{ link.icon | default: 'fas fa-link' }}" aria-hidden="true"></i> {{ link.label | escape_once | strip }}</a></li>
        {% endif %}
      {% endfor %}
    {% endif %}
@ -18,4 +18,4 @@
  </ul>
 </div>
-<div class="page__footer-copyright">&copy; {{ site.time | date: '%Y' }} <a href="{{ site.copyright_url | default: site.url }}">{{ site.copyright | default: site.title }}</a>. {{ site.data.ui-text[site.locale].powered_by | default: "Powered by" }} <a href="https://jekyllrb.com" rel="nofollow">Jekyll</a> &amp; <a href="https://mademistakes.com/work/jekyll-themes/minimal-mistakes/" rel="nofollow">Minimal Mistakes</a>.</div>
+<div class="page__footer-copyright">&copy; {{ site.time | date: '%Y' }} <a href="{{ site.copyright_url | default: site.url }}">{{ site.copyright | default: site.title | escape_once | strip }}</a>. {{ site.data.ui-text[site.locale].powered_by | default: "Powered by" }} <a href="https://jekyllrb.com" rel="nofollow">Jekyll</a> &amp; <a href="https://mademistakes.com/work/jekyll-themes/minimal-mistakes/" rel="nofollow">Minimal Mistakes</a>.</div>
--- a/_includes/masthead.html
+++ b/_includes/masthead.html
@ -8,8 +8,8 @@
          <a class="site-logo" href="{{ '/' | relative_url }}"><img src="{{ logo_path | relative_url }}" alt="{{ site.masthead_title | default: site.title }}"></a>
        {% endunless %}
        <a class="site-title" href="{{ '/' | relative_url }}">
-          {{ site.masthead_title | default: site.title }}
+          {{ site.masthead_title | default: site.title | escape_once | strip }}
-          {% if site.subtitle %}<span class="site-subtitle">{{ site.subtitle }}</span>{% endif %}
+          {% if site.subtitle %}<span class="site-subtitle">{{ site.subtitle | escape_once | strip }}</span>{% endif %}
        </a>
        <ul class="visible-links">
          {%- for link in site.data.navigation.main -%}
--- a/_includes/seo.html
+++ b/_includes/seo.html
@ -39,15 +39,15 @@
 <meta name="description" content="{{ seo_description }}">
 {% if author.name %}
-  <meta name="author" content="{{ author.name | default: author }}">
+  <meta name="author" content="{{ author.name | default: author | escape_once | strip }}">
  {% if og_type == "article" %}
-  <meta property="article:author" content="{{ author.name | default: author }}">
+  <meta property="article:author" content="{{ author.name | default: author | escape_once | strip }}">
  {% endif %}
 {% endif %}
 <meta property="og:type" content="{{ og_type }}">
 <meta property="og:locale" content="{{ site.locale | replace: "-", "_" | default: "en_US" }}">
-<meta property="og:site_name" content="{{ site.title }}">
+<meta property="og:site_name" content="{{ site.title | escape_once | strip }}">
 <meta property="og:title" content="{{ page_title }}">
 <meta property="og:url" content="{{ canonical_url }}">