New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

View vars leaking into markup #8218

Closed
hypeJunction opened this Issue Apr 17, 2015 · 3 comments

Comments

Projects
None yet
3 participants
@hypeJunction
Contributor

hypeJunction commented Apr 17, 2015

We need some stricter filtering of vars before formatting attributes. We end up with attributes such as entity_allows_comments="entity_allows_comments". Perhaps we could at least check for underscores in attribute names and filter those out.

@ewinslow

This comment has been minimized.

Show comment
Hide comment
@ewinslow

ewinslow Apr 19, 2015

Member

removing underscores sgtm

Member

ewinslow commented Apr 19, 2015

removing underscores sgtm

mrclay added a commit to mrclay/Elgg-leaf that referenced this issue Apr 27, 2015

fix(output): fewer view $vars will be output by accident
A general problem is views passing along arbitrary $vars values to views
like output/url, which treat unrecognized $vars as HTML attributes. This
at least strips keys with underscores, which are definitely not meant
to be HTML attributes.

Fixes #8218
@mrclay

This comment has been minimized.

Show comment
Hide comment
Member

mrclay commented Apr 27, 2015

PR #8252

@mrclay

This comment has been minimized.

Show comment
Hide comment
@mrclay

mrclay May 12, 2015

Member

I don't think banning underscores is going to work: #8252 (comment)

Member

mrclay commented May 12, 2015

I don't think banning underscores is going to work: #8252 (comment)

mrclay added a commit to mrclay/Elgg-leaf that referenced this issue Jun 4, 2015

fix(output): fewer view $vars will be output by accident
A general problem is views passing along arbitrary $vars values to views
like output/url, which treat unrecognized $vars as HTML attributes. This
at least strips keys with underscores, which are definitely not meant
to be HTML attributes.

Fixes #8218

mrclay added a commit to mrclay/Elgg-leaf that referenced this issue Jun 4, 2015

fix(output): fewer view $vars will be output by accident
A general problem is views passing along arbitrary $vars values to views
like output/url, which treat unrecognized $vars as HTML attributes. This
at least strips keys with underscores, which are definitely not meant
to be HTML attributes.

Fixes #8218

@mrclay mrclay closed this in #8414 Jun 4, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment