Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Antler old variable is not sanitized #1521
Not directly a feature request. I totally understand that could only be done in v3 or later
Variable output through should be escaped unless otherwise stated.
I assumed that behaviour because most other template language do it too.
It took me quite some time to realise this behaviour.
Steps to reproduce
My bad, I tried to simplify the reproduction without testing it …
At the time of opening the issue I had a form with the
The documentation gives examples which are prone to XSS attacks