Bug #30003
closed
Page Module: Texts of Content Elements are escaped twice
0%
Description
In the Page module, the teaser text of every Content Element gets escaped twice, thus displaying HTML special characters like & as & amp;.
Updated by Steffen Gebert about 13 years ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
Applied in changeset 2de0359ec28164ad90116befa9795323195293bd.
Updated by Chris topher about 13 years ago
- Status changed from Resolved to New
- % Done changed from 100 to 0
Only committed in a sandbox, not in Core yet.
Updated by Chris topher about 13 years ago
- Subject changed from Texts of Content Element are escaped twice to Page Module: Texts of Content Elements are escaped twice
Updated by Oliver Hader about 13 years ago
- Status changed from New to Accepted
- Assignee set to Steffen Gebert
Updated by Oliver Hader about 13 years ago
Steffen, are you going to put this to the Core branches as well?
Updated by Georg Ringer about 13 years ago
i am not sure if this is a good idea concerning to security.
Updated by Steffen Gebert about 13 years ago
Yes, I plan to do so. I just want to have a closer look again. I can't imagine that it can cause XSS, I just think that nobody ever cared (problem already existed with 4.1).
If you want to have a look / push it, feel free to do so!
Updated by Steffen Gebert about 13 years ago
Georg, there are two htmlspecialchars() in a row. That's why I'm pretty sure that nothing can disable one of them in between (however I want to check again to make sure).
Updated by Chris topher over 11 years ago
- Status changed from Accepted to Closed
Duplicate of #16612.
Resolved at least in 6.1. Neither encoded quotes or nbsp signs, nor HTML tags are incorrectly displayed in the page module now.