Project

General

Profile

Actions
Copy link

Bug #71692

closed

Fluid does not encode objects that act as string (have the __toString method)

Added by Claus Due about 9 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2015-11-19
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

See https://github.com/TYPO3/TYPO3.CMS/blob/master/typo3/sysext/backend/Resources/Private/Partials/ButtonBar.html

Uses {button} without escaping with f:raw which should cause the output to be escaped. It does not.

This problem does not exist in standalone Fluid.

Actions
Copy link
 #1

Updated by Helmut Hummel about 9 years ago

  • Project changed from TYPO3 Core to 1716
  • Category deleted (Fluid)
Actions
Copy link
 #2

Updated by Helmut Hummel about 9 years ago

  • Subject changed from SECURITY: HTML does not get escaped in EXT:backend/Resources/Private/Partials/ButtonBar.html to Fluid does not encode objects that act as string (have the __toString method)

We should keep it like that as changing it would be breaking and we will include standalone Fluid in TYPO3 8 anyway where this (and more inconsistencies) will be fixed.

Actions
Copy link
 #3

Updated by Helmut Hummel about 9 years ago

  • Project changed from 1716 to TYPO3 Core
  • Is Regression set to No
Actions
Copy link
 #4

Updated by Mathias Schreiber over 8 years ago

  • Status changed from New to Closed

fixed

Actions
Copy link

Also available in: Atom PDF