Hi,
If you use the console to bake views like index.ctp and view.ctp, data
is echo'ed directly like:
<?php echo $user['Model']['field']; ?>
- I think that all output should by default be HTML-escaped to avoid
security flaws, so the baked code should rather be something like:
<?php echo h($user['Model']['field']); ?>
What are your opinions - should this be considered a bug?
Regards
Jonathan
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
