Currently Textpattern offers no way to use template tags within anything else
than HTML; and even then not within tag attributes. Using tags within
JavaScript, attributes, or URL component, will lead into XSS issues and broken
markup.
For instance:
<script> alert('<txp:except />'); </script>
<a href="#" title="<txp:excerpt />"><txp:title /></a>
Generates:
<script> alert('<strong>Hello
World!</strong>'); </script>
<a href="#" title="<strong>Hello
World!</strong>">Test</a>
This creates unnecessary requirements for plugins, or that the user uses raw
PHP. It's pretty lousy that the system offers no way to prevent XSS
vulnerabilities. You literally can not use tags as attribute values etc.
Todo:
* Namespaced attributes, allowing global functionality shared by all tags.
Global attributes are processed *before* and/or *after* the tag.
* Potential <txp:escape/> tag.
The basic issue which we have is that Textpattern expects that everything is
HTML. The main offender being Textile; it unnecessarily uses entities which
fucks up everything. Not that it necessary matters because we already have some
double encoding going on.
Original issue reported on code.google.com by jukka.m.svahn on 21 Oct 2013 at 8:44
Original issue reported on code.google.com by
jukka.m.svahn
on 21 Oct 2013 at 8:44