Opened 6 years ago

Closed 6 years ago

Last modified 4 years ago

#11413 closed (fixed)

Need to update the doc for firsof and cycle tag behaviour with autoescaping on

Reported by: krystal Owned by: nobody
Component: Documentation Version: master
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

When you use {% firstof var1 var2 %}, output is not magically escaped as filter is a tag, which can lead to XSS vulnerability.

The "core" issue has been reported on #10834 ; it seems like everyone is ok to say that something needs to be done, but it won't be immediate.

I think that the current documentation is missleading as we don't say explicitly that var won't be escaped, and I think it the doc should be corrected for 1.1.

Here is a patch, written with my poor english, to help people don't fall in the trap.

Attachments (2)

doc-firstof-cycle-escaping.diff.2.txt (2.9 KB) - added by krystal 6 years ago.
doc-firstof-cycle-escaping.diff.txt (2.9 KB) - added by krystal 6 years ago.

Download all attachments as: .zip

Change History (6)

Changed 6 years ago by krystal

Changed 6 years ago by krystal

comment:1 Changed 6 years ago by krystal

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

Oups, bad cut&paste, I mean ticket #10912

comment:2 Changed 6 years ago by Alex

Fixed in r11163

comment:3 Changed 6 years ago by Alex

  • Resolution set to fixed
  • Status changed from new to closed

comment:4 Changed 4 years ago by jacob

  • milestone 1.1 deleted

Milestone 1.1 deleted

Note: See TracTickets for help on using tickets.
Back to Top