Fabien, Thanks for your quick reaction.
One little question: why use `htmlspecialchars()` rather than the output escaping library? François 2008/10/4 Frank Stelzer <[EMAIL PROTECTED]> > > Thanks (for everything :D) ! > > > Am 04.10.2008 um 09:23 schrieb Fabien Potencier: > > > > > fixed > > > > -- > > Fabien Potencier > > Sensio CEO - symfony lead developer > > sensiolabs.com | symfony-project.com | aide-de-camp.org > > Tél: +33 1 40 99 80 80 > > > > > > Frank Stelzer wrote: > >> Hi Fabien, > >> Only a small report: > >> i get a white page on the installation page > http://www.symfony-project.org/installation > >> . > >> > >> - Frank > >> > >> Am 03.10.2008 um 22:08 schrieb Fabien Potencier: > >> > >>> In accordance with our security policy, we are releasing today > >>> symfony > >>> 1.1.4 to fix a security issue that has been reported by a symfony > >>> user > >>> earlier today. This post contains the description of the > >>> vulnerability > >>> and the description of the changes we have made to fix it. The > >>> affected > >>> symfony versions are all symfony 1.1 releases and the 1.2 branch. > >>> > >>> Description of the vulnerability > >>> -------------------------------- > >>> > >>> The validation sub-framework allows the developer to embed the user > >>> submitted value in the error messages. If you use the submitted > >>> value in > >>> some of your error messages or if you use the default error messages > >>> provided by some built-in validators (see the list below), you are > >>> vulnerable because symfony will not escape the value for you. > >>> > >>> The following built-in validators are affected because they embed > >>> the > >>> submitted values in some of their default error messages: > >>> > >>> * sfValidatorDate > >>> * sfValidatorFile > >>> * sfValidatorInteger > >>> * sfValidatorNumber > >>> * sfValidatorString > >>> * sfValidatorTime > >>> > >>> Resolution > >>> ---------- > >>> > >>> As of symfony 1.1.4, we have changed the getArguments() method of > >>> the > >>> sfValidatorError class to escape the error messages. Here is the > >>> modified version of this method: > >>> > >>> [php] > >>> public function getArguments($raw = false) > >>> { > >>> if ($raw) > >>> { > >>> return $this->arguments; > >>> } > >>> > >>> $arguments = array(); > >>> foreach ($this->arguments as $key => $value) > >>> { > >>> if (is_array($value)) > >>> { > >>> continue; > >>> } > >>> > >>> $arguments["%$key%"] = htmlspecialchars($value, ENT_QUOTES, > >>> sfValidatorBase::getCharset()); > >>> } > >>> > >>> return $arguments; > >>> } > >>> > >>> The fix has been applied to the symfony 1.1 (changeset 11932) and > >>> 1.2 > >>> (changeset 11933) branches. You can download the patch for symfony > >>> 1.1 > >>> or symfony 1.2 in the symfony trac. > >>> > >>> Every symfony user is encouraged to upgrade as soon as possible. > >>> > >>> -- > >>> Fabien Potencier > >>> Sensio CEO - symfony lead developer > >>> sensiolabs.com | symfony-project.com | aide-de-camp.org > >>> Tél: +33 1 40 99 80 80 > >>> > >>> > >> > >> > >>> > >> > > > > > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
