I'll take a look. The concrete "get" method should probably just be removed in Symfony2. Kris
-- Kris Wallsmith | Release Manager [email protected] Portland, Oregon USA http://twitter.com/kriswallsmith On Jul 26, 2010, at 4:59 AM, Victor Berchet wrote: > When output escaping is turned on in symfony 1.4 (also seems to be the > case in symfony2), calling the get method on an object would result in > calling the get method of sfOutputEscaperObjectDecorator which only > accepts a single argument (without taking the escaping method into > account). > > Then trying to call a get method with more than one parameter would > not produce the expected result. A very good example is trying to call > $sf_params->get(<my name>, <my default value>). "my default value" > would be considered as the escaping method and would never be > propagated to the original object. > > This is very annoying plus the behavior is non consistent with the > behavior when escaping is turned off (then the second parameter would > be taken into account). > > This has been detected long ago (http://trac.symfony-project.org/ > ticket/1775) but never fixed. I propose a fix: > http://trac.symfony-project.org/ticket/8861. > > The classic work around (as described in issue 1775) is to use > $sf_data->getRaw('sf_params')->getget(<my name>, <my default value>). > However this returns an un-escaped value and then might expose a > security breach. > > I believe that the proposed fix is not an API change hence can be > applied safely to symfony 1.4. It seems to me that symfony2 is also > affected (by reading the code) and should be fixed in the same way. > > Cheers, > Victor > > -- > If you want to report a vulnerability issue on symfony, please send it to > security at symfony-project.com > > You received this message because you are subscribed to the Google > Groups "symfony developers" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/symfony-devs?hl=en -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
