Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ampersands not encoded #163

Open
mvanduijker opened this issue Dec 2, 2014 · 12 comments
Open

Ampersands not encoded #163

mvanduijker opened this issue Dec 2, 2014 · 12 comments

Comments

@mvanduijker
Copy link

Ampersands are not properly encoded when the urls are generated (for example: http://example.com/?q=example&page=1 instead of http://example.com/?q=example&page=1) I know in html5 it is not required to do this (http://stackoverflow.com/questions/19441750/do-ampersands-still-need-to-be-encoded-in-urls-in-html5) but it is better to cover it.

I can make a PR but where needs the escaping be fixed or doesn't it needs to be fixed and should it be handled by the url generator callback. (Then it needs fixing in the Symfony Bundle) Would also be nice that the html attribute is specifically escaped (example of why http://framework.zend.com/manual/2.3/en/modules/zend.escaper.escaping-html-attributes.html)
@pablodip
Copy link
Contributor

pablodip commented Dec 2, 2014

Not sure to understand the second paragraph. Would it be any backwards incompatibility?

@mvanduijker
Copy link
Author

It can be backwards incompatible if users implemented escaping in their url generators and it gets fixed in the view / template layer.

@stof
Copy link
Contributor

stof commented Dec 2, 2014

IMO, the escaping is not the job of the url generator, but of the renderer.

Would also be nice that the html attribute is specifically escaped (example of why http://framework.zend.com/manual/2.3/en/modules/zend.escaper.escaping-html-attributes.html)

to be exact, the special escaping is necessary for attribute names or unquoted attribute values. If you render your attributes quoted, you don't need to apply something more complex than htmlspecialchars($value, ENT_QUOTES, 'UTF-8')

@stof
Copy link
Contributor

stof commented Dec 2, 2014

btw, other placeholders are also missing the escaping (the text is not escaped for instance)

@pablodip
Copy link
Contributor

pablodip commented Dec 2, 2014

@stof What exactly do you propose?

@mvanduijker
Copy link
Author

Any news on this? Willing to contribute but need info how we are going to solve this.

@pablodip
Copy link
Contributor

What do you think @stof?

@stof
Copy link
Contributor

stof commented Jan 16, 2015

@pablodip the View object needs to apply HTML escaping in every places where it builds HTML strings

@pablodip
Copy link
Contributor

Hmm, this would break BC, but we can just create a new View.

Anyone willing to do a PR? :)

@stof
Copy link
Contributor

stof commented Jan 16, 2015

@pablodip I don't think the existing views should be kept as is. BC breaks are accepted to fix security issues. Not escaping the variables in the HTML opens the door to XSS.

@pablodip
Copy link
Contributor

That's right. Waiting for someone to PR then. I vote for @stof, but don't know if he can and want. :))

@stof
Copy link
Contributor

stof commented Jan 18, 2015

I would prefer to have someone else working on it honestly (I have lots of other things in my TODO-list already)

@mvanduijker mvanduijker mentioned this issue Mar 21, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pablodip @stof @mvanduijker