#11413 closed (fixed)
Need to update the doc for firsof and cycle tag behaviour with autoescaping on
Reported by: | krystal | Owned by: | nobody |
---|---|---|---|
Component: | Documentation | Version: | dev |
Severity: | Keywords: | ||
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
When you use {% firstof var1 var2 %}, output is not magically escaped as filter is a tag, which can lead to XSS vulnerability.
The "core" issue has been reported on #10834 ; it seems like everyone is ok to say that something needs to be done, but it won't be immediate.
I think that the current documentation is missleading as we don't say explicitly that var won't be escaped, and I think it the doc should be corrected for 1.1.
Here is a patch, written with my poor english, to help people don't fall in the trap.
Attachments (2)
Change History (6)
by , 15 years ago
Attachment: | doc-firstof-cycle-escaping.diff.2.txt added |
---|
by , 15 years ago
Attachment: | doc-firstof-cycle-escaping.diff.txt added |
---|
comment:1 by , 15 years ago
comment:3 by , 15 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Oups, bad cut&paste, I mean ticket #10912