Hi, I just stumbled over something that I am not sure if it should be changed or not. If you pass an absolute url to link_to() (and I am sure the same applies to other helpers) there is no automatic XSS protection applied. I guess its a tricky topic since double escaping is a potential issue. However many people will tend to use $_SERVER items to build up absolute URL's (even inside the template) and this could lead to security issues (especially since most people are used to thinking that symfony will make everything safe). Of course $_SERVER is not safe and I guess most people know this if they are directly outputting things out of any superglobal in a template. But I am not sure that they realize this when using a helper.
regards, Lukas --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
