Uninterpreted HTML in warning message of settings import

[ibennetch]

Using QA_4_8, I exported my settings, then tried to import them again. I got a warning message stating that some settings were invalid, and they included some literal <i> and </i> rather than rendering the text in italics.

[MauricioFauth]

I don't think this is a security issue, because it is either a predetermined message or the message will be sanitized.
I believe this was introduced by 729349d. Twig automatically escapes the outputs, and that has not been disabled in this case.

[ibennetch]

I was probably cautious about how to report it but can move this issue to the bug tracker. Thanks.

[bahl24]

@ibennetch I wasn't able to reproduce the issue, can you give detailed testing instructions?

[kartik1000]

@MauricioFauth can't we use the raw filter of twig in {{error}} part?

[ibennetch]

I missed the question from @bahl24 earlier, but I've seen it now. To reproduce (you may need to first have defined some custom setting in this settings tab):

Go to the Settings tab of the main page. The default tab is "Manage your settings". From "Export" pick "Save as file" (which should be "Save as JSON file", see #15115) - or create a custom JSON file from my example below. Save the JSON file to your local computer.

Now go to the "Import" area and "Browse" to the file you just downloaded, then press "Go" to begin the import. This message is shown afterwards.

My JSON file that reveals this problem:

{
    "NavigationLogoLink": "\/example.php",
    "Export\/method": "custom",
    "RowActionLinksWithoutUnique": true,
    "InitialSlidersState": "open",
    "Console\/Mode": "collapse",
    "Server\/hide_db": "",
    "Server\/only_db": ""

[williamdes]

Fixed by 2a4729c
I missed the issue when creating the fix and the initial changelog entry

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.