Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Bugfix: Template content being 'escaped' showing HTML entities #459
Got it. The only place i see this method used is by owa_template::makeLink which is being called in the construction of these error messages. Im really hesitant to allow about HTML in output as it's an XSS vector. Let me look at these error message strings and see what's happening here.
OK. Here's what's going on. The error msg strings that are being passed to the template for display contain HTML tags - which is not a good idea for this very reason.
You can see these in
Then the view will assign the completely formatted msg to a variable that the
So i think the fix is to remove the HTML tags from error msg strings and NOT make the output sanitization allow for HTML entities.
So we have two options as I see it:
Then we could refactor
And then finally we could create
I thought I deactivated all normalizations via git (Line endings or separator). But there is still trouble... Normally my git should commit 'as it is' and not normalizing to unix style. Hopefully it's ok that I just added comments on the specific parts and not reverted all.