Opened 15 years ago

Closed 15 years ago

Last modified 13 years ago

#11413 closed (fixed)

Need to update the doc for firsof and cycle tag behaviour with autoescaping on

Reported by: krystal Owned by: nobody
Component: Documentation Version: dev
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When you use {% firstof var1 var2 %}, output is not magically escaped as filter is a tag, which can lead to XSS vulnerability.

The "core" issue has been reported on #10834 ; it seems like everyone is ok to say that something needs to be done, but it won't be immediate.

I think that the current documentation is missleading as we don't say explicitly that var won't be escaped, and I think it the doc should be corrected for 1.1.

Here is a patch, written with my poor english, to help people don't fall in the trap.

Attachments (2)

doc-firstof-cycle-escaping.diff.2.txt (2.9 KB ) - added by krystal 15 years ago.
doc-firstof-cycle-escaping.diff.txt (2.9 KB ) - added by krystal 15 years ago.

Download all attachments as: .zip

Change History (6)

comment:1 by krystal, 15 years ago

Oups, bad cut&paste, I mean ticket #10912

comment:2 by Alex Gaynor, 15 years ago

Fixed in r11163

comment:3 by Alex Gaynor, 15 years ago

Resolution: fixed
Status: newclosed

comment:4 by Jacob, 13 years ago

milestone: 1.1

Milestone 1.1 deleted

Note: See TracTickets for help on using tickets.
Back to Top