Project

General

Profile

Actions

Bug #60082

closed

Backport: Objects cast to string are not escaped

Added by Philipp Maier over 9 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
Fluid
Target version:
-
Start date:
2014-07-03
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
easy
Is Regression:
No
Sprint Focus:

Description

Basically if you have a class like this:

class HelloWorld {
public function __toString() { return '<script>alert("hello world");</script>' }
}

and you assign it as a fluid variable like this:

$this->view->assign('helloworld', new HelloWorld());

and have a template like this:

{helloworld}

you're going to have a bad time.

------
Copied over from the Flow Bug Tracker: http://forge.typo3.org/issues/60069


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Feature #69863: Use new standalone Fluid as composer dependencyClosedClaus Due2015-09-16

Actions
Actions

Also available in: Atom PDF