Opened 7 years ago

Closed 7 years ago

Last modified 5 years ago

#11413 closed (fixed)

Need to update the doc for firsof and cycle tag behaviour with autoescaping on

Reported by: krystal Owned by: nobody
Component: Documentation Version: master
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

When you use {% firstof var1 var2 %}, output is not magically escaped as filter is a tag, which can lead to XSS vulnerability.

The "core" issue has been reported on #10834 ; it seems like everyone is ok to say that something needs to be done, but it won't be immediate.

I think that the current documentation is missleading as we don't say explicitly that var won't be escaped, and I think it the doc should be corrected for 1.1.

Here is a patch, written with my poor english, to help people don't fall in the trap.

Attachments (2)

doc-firstof-cycle-escaping.diff.2.txt (2.9 KB) - added by krystal 7 years ago.
doc-firstof-cycle-escaping.diff.txt (2.9 KB) - added by krystal 7 years ago.

Download all attachments as: .zip

Change History (6)

Changed 7 years ago by krystal

Changed 7 years ago by krystal

comment:1 Changed 7 years ago by krystal

Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset

Oups, bad cut&paste, I mean ticket #10912

comment:2 Changed 7 years ago by Alex Gaynor

Fixed in r11163

comment:3 Changed 7 years ago by Alex Gaynor

Resolution: fixed
Status: newclosed

comment:4 Changed 5 years ago by Jacob

milestone: 1.1

Milestone 1.1 deleted

Note: See TracTickets for help on using tickets.
Back to Top