search

CakePHP-Bootstrap / cakephp3-bootstrap-helpers

CakePHP 3.x Helpers for Bootstrap 3 and 4.
https://holt59.github.io/cakephp3-bootstrap-helpers/
MIT License
130 stars 79 forks source link

Html injection fix #177

Closed asgraf closed 5 years ago

asgraf commented 5 years ago

Fixes HtmlInjection vulnerability described in #176

This fix allows escaping without disabling easyIcon conversion. Escaping is now enabled by default.

Old unsafe behavior can be achieved by setting option ['escape'=>false] Example:

echo $this->Html->link('i:tag Title');// new safe behavior
echo $this->Html->link('i:tag Title',['escape'=>false]);//Old unsafe behavior

Also icon conversion can be enabled/disabled by passing inline easyIcon option Example:

$this->Html->easyIcon = false;
echo $this->Html->link('i:tag Title',['easyIcon'=>false]);//icon won't be converted
echo $this->Html->link('i:tag Title',['easyIcon'=>true]);//icon will be converted
echo $this->Html->link('i:tag Title');//icon won't be converted

$this->Html->easyIcon = true;
echo $this->Html->link('i:tag Title',['easyIcon'=>true]);//icon will be converted
echo $this->Html->link('i:tag Title',['easyIcon'=>false]);//icon won't be converted
echo $this->Html->link('i:tag Title');//icon will be converted
Holt59 commented 5 years ago

Closing this PR since this has been fixed by 69653d8d1bfcdb74ad3ca8d129483b41d9338324 (master) and 526c72b80a222c02eb0c8a819aaf4f2022df48b1 (v4).