#715: Form Population trips over entities in error messages when inserting them
into the document
----------------------+-----------------------------------------------------
Reporter: david | Owner: david
Type: defect | Status: new
Priority: high | Milestone: 0.11.1
Component: filter | Version: 0.11.0
Severity: critical | Keywords:
Has_patch: 0 |
----------------------+-----------------------------------------------------
Not a security problem, since error messages are not user supplied, but
very uncool nontheless. Must use {{{htmlspecialchars()}}} when replacing
values in the doument fragment. UTF-8 is enough since DOM uses only that
internally.
--
Ticket URL: <http://trac.agavi.org/ticket/715>
Agavi <http://www.agavi.org/>
An MVC Framework for PHP5
_______________________________________________
Agavi Tickets Mailing List
[email protected]
http://lists.agavi.org/mailman/listinfo/tickets
