Open allan-simon opened 1 month ago
here I really think it's a bug , because TextField::setFormatValue is safe by default , while associationField::setFormatValue is not
@javiereguiluz do you agree with me here (so that I know if it's worth it to fix the PR )
instead if people do need it we force them do to
->setStripTag(true) before
Example to reproduce create two entities Comment and Author in the Comment crud controller do the following
if the author's name contains
<script>alert("coucou")</script>
it will inject a XSS in the admininstead with this PR you will be required to do
if you want to intentionnaly disable it