On Wed, 24 Jun 2009 07:46:01 am Richard Ellerbrock wrote:
The existing patch is correct - using htmlspecialchars will have the
effect of placing escaped stings in the database. It will also have
the effect of double escaping each time you edit a field.
My patch replaces the display template
Hi Richard
I am not sure about your patch.
Setting a maximum length does not fix a potential xss issue. Why not using
htmlspecialchars() to take care of escaping? I have attached a potential patch
for that. Of course, it would be good to check the rest of the code as well
and see whether it is
The existing patch is correct - using htmlspecialchars will have the
effect of placing escaped stings in the database. It will also have
the effect of double escaping each time you edit a field.
My patch replaces the display template method block() which does not
escape with the text() method
3 matches
Mail list logo