#11413 closed (fixed)
Need to update the doc for firsof and cycle tag behaviour with autoescaping on
| Reported by: | krystal | Owned by: | nobody |
|---|---|---|---|
| Component: | Documentation | Version: | dev |
| Severity: | Keywords: | ||
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
When you use {% firstof var1 var2 %}, output is not magically escaped as filter is a tag, which can lead to XSS vulnerability.
The "core" issue has been reported on #10834 ; it seems like everyone is ok to say that something needs to be done, but it won't be immediate.
I think that the current documentation is missleading as we don't say explicitly that var won't be escaped, and I think it the doc should be corrected for 1.1.
Here is a patch, written with my poor english, to help people don't fall in the trap.
Attachments (2)
Change History (6)
by , 15 years ago
| Attachment: | doc-firstof-cycle-escaping.diff.2.txt added |
|---|
by , 15 years ago
| Attachment: | doc-firstof-cycle-escaping.diff.txt added |
|---|
comment:1 by , 15 years ago
comment:3 by , 15 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Oups, bad cut&paste, I mean ticket #10912