id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
11413	Need to update the doc for firsof and cycle tag behaviour with autoescaping on	krystal	nobody	"When you use {% firstof var1 var2 %}, output is not magically escaped as filter is a tag, which can lead to XSS vulnerability.

The ""core"" issue has been reported on #10834 ; it seems like everyone is ok to say that something needs to be done, but it won't be immediate.

I think that the current documentation is missleading as we don't say explicitly that var won't be escaped, and I think it the doc should be corrected for 1.1.

Here is a patch, written with my poor english, to help people don't fall in the trap."		closed	Documentation	dev		fixed			Unreviewed	0	0	0	0	0	0