[3.6.0-beta.3] html from page model used as 'info text' in pages section is not being parsed as html anymore

getkirby / kirby

Kirby's core application folder

https://getkirby.com

Other

1.32k stars 168 forks source link

[3.6.0-beta.3] html from page model used as 'info text' in pages section is not being parsed as html anymore #3809

Closed ralfgoeke closed 3 years ago

ralfgoeke commented 3 years ago

Describe the bug

To Reproduce
Steps to reproduce the behavior:

# page model
public function htmlTest()
{
  return '<span style="color: red;">should be red</span>';
}

sections:
  test_sect:
    type: pages
    info: "{{ page.htmlTest }}"

Expected behavior
Text should be rendered as HTML, like it worked before, until beta.3

Screenshots

html-not-parsed

Kirby Version
3.6.0-beta.3

afbora commented 3 years ago

@ralfgoeke Thanks for report. There is a breaking change here, you need to use like that {< page.htmlTest >}

Several blueprint options that use the query syntax were updated to escape the placeholder values against raw HTML output that may lead to XSS attacks. HTML code directly in the query (like This is {{ page.important }}) still works as normal. If placeholders need to return HTML, you can use the new {< site.myMethodWithHtml >} syntax. In this case you need to ensure manually that the returned HTML code is safe. With the {{ }} syntax, Kirby performs the escaping for you.

https://getkirby.com/releases/3.6/breaking-changes#panel

ralfgoeke commented 3 years ago

Damn, I overlooked that one. Thanks for the headsup and sorry for the extra work. 🥴