Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get raw parameters in filter tags, refs #13131 #946

Merged
merged 1 commit into from Aug 7, 2019
Merged

Get raw parameters in filter tags, refs #13131 #946

merged 1 commit into from Aug 7, 2019

Conversation

jraddaoui
Copy link
Contributor

When the escaping strategy is enabled and Markdown support is disabled,
getParams is converted to a sfOutputEscaperArrayDecorator instance.
This needs to be converted back using $sf_data->getRaw() to be able
to merge it with another array in the template.

@jraddaoui jraddaoui self-assigned this Aug 6, 2019
djjuhasz
djjuhasz reviewed Aug 6, 2019
View reviewed changes
Copy link
Member

@djjuhasz djjuhasz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jraddaoui doesn't using $sf_data->getRaw('getParams') mean that any user data sent in a GET will be included in the resulting URL, without any sanitization? Maybe we need to manually do HTML escaping on the array values before outputting the URL?

@jraddaoui
Copy link
Contributor Author

Great point @djjuhasz!

We have to be really careful after un-escaping and in any case, as the escaping strategy may be disabled to enable Markdown. I couldn't find where in the code so I tested it and it looks like url_for is taking care of the escaping.

mcantelon
mcantelon approved these changes Aug 6, 2019
View reviewed changes
Copy link
Member

@mcantelon mcantelon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

djjuhasz
djjuhasz approved these changes Aug 6, 2019
View reviewed changes
Copy link
Member

@djjuhasz djjuhasz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed 👍

@jraddaoui
Get raw parameters in filter tags, refs #13131
55af3f9 
When the escaping strategy is enabled and Markdown support is disabled,
`getParams` is converted to a `sfOutputEscaperArrayDecorator` instance.
This needs to be converted back using `$sf_data->getRaw()` to be able
to merge it with another array in the template.
@qubot qubot merged commit 55af3f9 into qa/2.6.x Aug 7, 2019
@qubot qubot deleted the dev/issue-13131-escaping branch August 7, 2019 10:18
@jraddaoui
Copy link
Contributor Author

c1e9b3c in stable/2.5.x

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mcantelon mcantelon mcantelon approved these changes

@djjuhasz djjuhasz djjuhasz approved these changes

Assignees

@jraddaoui jraddaoui

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jraddaoui @mcantelon @djjuhasz @qubot