Skip to content
This repository has been archived by the owner on Nov 2, 2020. It is now read-only.

Add caution to the i18n doc about embedded vars not being autoescaped #242

Merged
merged 1 commit into from
Aug 6, 2019
Merged

Add caution to the i18n doc about embedded vars not being autoescaped #242

merged 1 commit into from
Aug 6, 2019

Conversation

ovidiu
Copy link

@ovidiu ovidiu commented Apr 4, 2019

This relates to #241: variables embedded in {% trans %} tags are not subject to automatic escaping.

I believe Twig users will reasonably expect to be safe by default, unless they opt out of it using |raw.

I found out about this behavior after penetration testing was performed on an application I work on. I worry others may find out the hard way.

@fabpot fabpot added the i18n label Aug 6, 2019
@fabpot
Copy link
Contributor

fabpot commented Aug 6, 2019

Thank you @ovidiu.

@fabpot fabpot merged commit a86ae9d into twigphp:master Aug 6, 2019
fabpot added a commit that referenced this pull request Aug 6, 2019
@fabpot
minor #242 Add caution to the i18n doc about embedded vars not being …
baab976 
…autoescaped (Ovidiu Curcan)

This PR was merged into the 2.0-dev branch.

Discussion
----------

Add caution to the i18n doc about embedded vars not being autoescaped

This relates to #241: variables embedded in `{% trans %}` tags are not subject to automatic escaping.

I believe Twig users will reasonably expect to be safe by default, unless they opt out of it using `|raw`.

I found out about this behavior after penetration testing was performed on an application I work on. I worry others may find out the hard way.

Commits
-------

a86ae9d Add caution to the i18n doc about embedded vars not being autoescaped
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
i18n
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ovidiu @fabpot @curcan-tk