When output escaping is turned on in symfony 1.4 (also seems to be the case in symfony2), calling the get method on an object would result in calling the get method of sfOutputEscaperObjectDecorator which only accepts a single argument (without taking the escaping method into account).
Then trying to call a get method with more than one parameter would not produce the expected result. A very good example is trying to call $sf_params->get(<my name>, <my default value>). "my default value" would be considered as the escaping method and would never be propagated to the original object. This is very annoying plus the behavior is non consistent with the behavior when escaping is turned off (then the second parameter would be taken into account). This has been detected long ago (http://trac.symfony-project.org/ ticket/1775) but never fixed. I propose a fix: http://trac.symfony-project.org/ticket/8861. The classic work around (as described in issue 1775) is to use $sf_data->getRaw('sf_params')->getget(<my name>, <my default value>). However this returns an un-escaped value and then might expose a security breach. I believe that the proposed fix is not an API change hence can be applied safely to symfony 1.4. It seems to me that symfony2 is also affected (by reading the code) and should be fixed in the same way. Cheers, Victor -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
