Opened 5 years ago

Closed 5 years ago

Last modified 3 years ago

#11413 closed (fixed)

Need to update the doc for firsof and cycle tag behaviour with autoescaping on

Reported by: krystal Owned by: nobody
Component: Documentation Version: master
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


When you use {% firstof var1 var2 %}, output is not magically escaped as filter is a tag, which can lead to XSS vulnerability.

The "core" issue has been reported on #10834 ; it seems like everyone is ok to say that something needs to be done, but it won't be immediate.

I think that the current documentation is missleading as we don't say explicitly that var won't be escaped, and I think it the doc should be corrected for 1.1.

Here is a patch, written with my poor english, to help people don't fall in the trap.

Attachments (2)

doc-firstof-cycle-escaping.diff.2.txt (2.9 KB) - added by krystal 5 years ago.
doc-firstof-cycle-escaping.diff.txt (2.9 KB) - added by krystal 5 years ago.

Download all attachments as: .zip

Change History (6)

Changed 5 years ago by krystal

Changed 5 years ago by krystal

comment:1 Changed 5 years ago by krystal

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

Oups, bad cut&paste, I mean ticket #10912

comment:2 Changed 5 years ago by Alex

Fixed in r11163

comment:3 Changed 5 years ago by Alex

  • Resolution set to fixed
  • Status changed from new to closed

comment:4 Changed 3 years ago by jacob

  • milestone 1.1 deleted

Milestone 1.1 deleted

Add Comment

Modify Ticket

Change Properties
<Author field>
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.