-
Notifications
You must be signed in to change notification settings - Fork 820
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
$ClassName template variable should be sanitised to remove slashes #7586
Comments
For context this is coming from the default theme's
Let's just remove it instead? :P |
Removing it from the template doesn't cure the underlying issue though. If there's an expectation to be able to use the $ClassName in a template (as per SS3) then it's going to catch a lot of people out when they re-introduce the invalid code. If fixing the specific issue is too onerous, would changing it to a different value be preferable? (something like |
@tractorcow Could we add add something like the following to public function forTemplate()
{
return Convert::raw2htmlid($this->value);
} |
I'd be more in favour of @kinglozzer's suggestion and have requested that in the pull request :) |
@kinglozzer you are hard-baking in an assumption about front-end use to the inner dbfield; How do you know that
Which is now broken because we've stripped out slashes. |
You could add a $BaseName property to classname which skipped the namespace.
And you could still use CSS rules like:
|
That’s a fair point @tractorcow, I like your suggestion of adding an extra method to |
I agree with @tractorcow - there should be no assumption that Use |
I think the issue is that slashes are valid in attributes, but not in CSS selectors. |
Backslashes are valid in CSS, you just need to escape them e.g. <body class="Namespace\PageType"> .Namespace\\PageType {} But for what it's worth, I think adding |
Ok, I've updated this with a
Because of auto-escaping, this will be escaped as XML safely in the template anyway, but also won't have any slashes anymore. :) |
Currently, the
$ClassName
template variable injects the entire, fully-qualified classname into the page. On SS4 this inevitably includes backslashes which are invalid in CSS class names.Suggest that the ClassName should be sanitised with
Convert::raw2htmlid()
or similar before being sent to the template.PRs:
The text was updated successfully, but these errors were encountered: