Disallow / as it can be used to do XSS.

When / is combined with /script you can do naughty things. Blacklisting / is a much safer option.
cakephp · Feb 19, 2014 · bd46972 · bd46972
1 parent d4e6944
commit bd46972
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/View/Widget/IdGeneratorTrait.php b/src/View/Widget/IdGeneratorTrait.php
@@ -48,7 +48,7 @@ protected function _clearIds() {
  */
 	protected function _id($name, $val) {
 		$name = mb_strtolower(Inflector::slug($name, '-'));
-		$idSuffix = mb_strtolower(str_replace(array('@', '<', '>', ' ', '"', '\''), '-', $val));
+		$idSuffix = mb_strtolower(str_replace(array('/', '@', '<', '>', ' ', '"', '\''), '-', $val));
 		$count = 1;
 		$check = $idSuffix;
 		while (in_array($check, $this->_idSuffixes)) {