[3.6.0-beta.2] Panel: Text with escaped html in info box

getkirby / kirby

Kirby's core application folder

https://getkirby.com

Other

1.31k stars 168 forks source link

[3.6.0-beta.2] Panel: Text with escaped html in info box #3763

Closed tobiasfabian closed 3 years ago

tobiasfabian commented 3 years ago

Describe the bug
HTML tag is visible/escaped in info box

To Reproduce
Create a page with a template which has no blueprint. E.g. /content/checkout/checkout.txt but no /site/blueprints/pages/checkout.yml

Expected behavior
HTML tag should not be escaped.

Screenshots

Kirby Version
3.6.0-beta.2

Console output
none

Desktop (please complete the following information):

OS: macOS
Browser: Safari
Version: 15

Additional context
It’s the page.blueprint string https://github.com/getkirby/kirby/blob/aadf1c2e6fafe9f6170d97c541e85fe3512c54ac/i18n/translations/en.json#L388

Which is used in this vue file. https://github.com/getkirby/kirby/blob/release/3.6.0-beta.2/panel/src/components/Views/PageView.vue#L64

bastianallgeier commented 3 years ago

✅

cgundermann commented 3 years ago

Unfortunately I'm still getting escaped html, when using the query language in the field. Am I doing something wrong or is this still an issue with the info field? It used to work in 3.5.7 =)

myfield:
  type: info
  label: 'Zeitraum'  
  text: |
    {{ page.somefield.toGreyedOutText }}

// field methods
'toGreyedOutText' => function($field){
  //...
  $value = $field->isEmpty() ? 'Keine Angabe' : date('d.m.Y', strtotime($field->value()));
  $text_col = ($stat === false) ? 'var(--color-border);' : 'var(--theme-positive-text);';
  return '<span style="color: '.$text_col.'">' . $value . '</span>';
}

Result:

afbora commented 3 years ago

@CrisGraphics Please check out 3.6 documents.

Several blueprint options that use the query syntax were updated to escape the placeholder values against raw HTML output that may lead to XSS attacks. HTML code directly in the query (like This is {{ page.important }}) still works as normal. If placeholders need to return HTML, you can use the new {< site.myMethodWithHtml >} syntax. In this case you need to ensure manually that the returned HTML code is safe. With the {{ }} syntax, Kirby performs the escaping for you.

https://getkirby.com/releases/3.6/breaking-changes#panel

cgundermann commented 3 years ago

@CrisGraphics Please check out 3.6 documents.

Ah, thank You Ahmet! This of course works. Sorry, must have overlooked that... so many places with information. 🙈