[symfony-users] XSS escaping_strategy escaping_method not work

smellycat37 Wed, 27 Jan 2010 02:02:55 -0800

hello,

I use symfony 1.2.9 with doctrine...
I would like to escape all the special html character that user can
put in form html...
So I add in the section ".all .settings" of my settings.yml file the
followings lines:
    escaping_strategy: both
    escaping_method:   ESC_ENTITIES


With a form, I save an object annonce contained a description field
<script>alert('hello')</script>
I display $announce->getDescription() but the javascript is
executed...
When i check the source code I've got <script type="text/
javascript">alert('bonjour')</script> and not &gt;&lt;script&gt;alert
('hello')&lt;/script&gt;

thanks for your help

-- 
You received this message because you are subscribed to the Google Groups 
"symfony users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/symfony-users?hl=en.

[symfony-users] XSS escaping_strategy escaping_method not work

Reply via email to