New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
html tag show up in info message in empty dashboard #3128
Comments
The python code is just using the api
in The issue is where the message is rendered. How those info messages are rendered in Plone 5? |
Actually it's in This fixes the rendering. But do we want this fix? Is there any security implication of doing that? |
If we have the issue just for this message, we can change it to not include html and that's it. |
I wondered if the It could be useful to have this, so you can add links and other markup. But that would have security implications as you suspect, at least Cross Site Scripting. We cannot be sure that all core or add-on code is safe for this. There may be code that says: "Your input was X, this is wrong." Then an attacker could craft a link that leads to javascript being executed, or a link to a rogue site shown. A feature could be to let Anyway, for the current case it would be best to remove the |
Ok, I think I will just remove the |
See my comment collective/plone.app.locales#294 (comment) |
BUG
What I did:
In the toolbar, click on your name, then Dashboard
What I expect to happen:
The dashboard is empty, a message tell me that without showing an html tag in the info message.
What actually happened:
There is an html tag in the info message.
What version of Plone/ Addons I am using:
Plone 5.2.2rc1
The text was updated successfully, but these errors were encountered: