-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Escape urls to avoid xss #11092
Escape urls to avoid xss #11092
Conversation
src/View/StringTemplate.php
Outdated
@@ -315,6 +315,9 @@ protected function _formatAttribute($key, $value, $escape = true) | |||
} | |||
$truthy = [1, '1', true, 'true', $key]; | |||
$isMinimized = isset($this->_compactAttributes[$key]); | |||
if(!preg_match_all('/\A(\w|[.-])+\z/', $key)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pretty sure this is supposed to be if (
with a space.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you need preg_match_all or would preg_match work?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure, im no regex hero, if you think preg_match
would do, i can change that
9a5efed
to
e04ac15
Compare
Codecov Report
@@ Coverage Diff @@
## master #11092 +/- ##
============================================
+ Coverage 94.86% 94.92% +0.06%
- Complexity 12838 13060 +222
============================================
Files 437 437
Lines 32733 33062 +329
============================================
+ Hits 31051 31383 +332
+ Misses 1682 1679 -3
Continue to review full report at Codecov.
|
fixed cs issue and replaced |
e04ac15
to
0c88f63
Compare
This causes a major regression in all HtmlHelper generated img URLs that contain query strings:
We need a 3.5.2 to fix this before too many people update and have their apps completely broken. |
I think it is relevant to mention that your plugin was HTML encoding URLs before passing them to assetUrl methods in UrlHelper, and that is the source of double encoding. |
Indeed. It was properly handling it on its own. I guess people doing similar handling will have to fix their code now to adhere to the new security standard of this patch release. |
Protocol relative URLs were missed from the changes in #11092 as they are handled by a different code branch.
Protocol relative URLs were missed from the changes in #11092 as they are handled by a different code branch.
Escape urls to avoid xss