pablodip
commented
9 years ago Not sure to understand the second paragraph. Would it be any backwards incompatibility?
Open mvanduijker opened 9 years ago
pablodip
commented
9 years ago Not sure to understand the second paragraph. Would it be any backwards incompatibility?
mvanduijker
commented
9 years ago It can be backwards incompatible if users implemented escaping in their url generators and it gets fixed in the view / template layer.
stof
commented
9 years ago IMO, the escaping is not the job of the url generator, but of the renderer.
Would also be nice that the html attribute is specifically escaped (example of why http://framework.zend.com/manual/2.3/en/modules/zend.escaper.escaping-html-attributes.html)
to be exact, the special escaping is necessary for attribute names or unquoted attribute values. If you render your attributes quoted, you don't need to apply something more complex than htmlspecialchars($value, ENT_QUOTES, 'UTF-8')
stof
commented
9 years ago btw, other placeholders are also missing the escaping (the text is not escaped for instance)
pablodip
commented
9 years ago @stof What exactly do you propose?
mvanduijker
commented
9 years ago Any news on this? Willing to contribute but need info how we are going to solve this.
pablodip
commented
9 years ago What do you think @stof?
stof
commented
9 years ago @pablodip the View object needs to apply HTML escaping in every places where it builds HTML strings
pablodip
commented
9 years ago Hmm, this would break BC, but we can just create a new View.
Anyone willing to do a PR? :)
stof
commented
9 years ago @pablodip I don't think the existing views should be kept as is. BC breaks are accepted to fix security issues. Not escaping the variables in the HTML opens the door to XSS.
pablodip
commented
9 years ago That's right. Waiting for someone to PR then. I vote for @stof, but don't know if he can and want. :))
stof
commented
9 years ago I would prefer to have someone else working on it honestly (I have lots of other things in my TODO-list already)
Ampersands are not properly encoded when the urls are generated (for example:
http://example.com/?q=example&page=1instead ofhttp://example.com/?q=example&page=1) I know in html5 it is not required to do this (http://stackoverflow.com/questions/19441750/do-ampersands-still-need-to-be-encoded-in-urls-in-html5) but it is better to cover it.I can make a PR but where needs the escaping be fixed or doesn't it needs to be fixed and should it be handled by the url generator callback. (Then it needs fixing in the Symfony Bundle) Would also be nice that the html attribute is specifically escaped (example of why http://framework.zend.com/manual/2.3/en/modules/zend.escaper.escaping-html-attributes.html)