id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 11413 Need to update the doc for firsof and cycle tag behaviour with autoescaping on krystal nobody "When you use {% firstof var1 var2 %}, output is not magically escaped as filter is a tag, which can lead to XSS vulnerability. The ""core"" issue has been reported on #10834 ; it seems like everyone is ok to say that something needs to be done, but it won't be immediate. I think that the current documentation is missleading as we don't say explicitly that var won't be escaped, and I think it the doc should be corrected for 1.1. Here is a patch, written with my poor english, to help people don't fall in the trap." closed Documentation dev fixed Unreviewed 0 0 0 0 0 0