« Previous | Next » 

Revision 315f3753

Child 8f41edf7

Added by Bastian Waidelich over 7 years ago

[!!!][BUGFIX] Enforce escaping on string-casted objects

This change assures that the escape interceptor is active for objects
that are casted to strings implicitly.

For HTML requests Fluid internally applies the
``HtmlspecialcharsViewHelper`` on variables before rendering them.
An ``is_string()`` check in the escaping ViewHelpers effectively
disabled this behavior for objects that are converted to strings
implicitly via a ``__toString()`` method.

This is a breaking change if you relied on the previous behavior that
escaping is disabled for objects. In this case you can apply the
format.raw ViewHelper to achieve the old behavior::

{object -> f:format.raw()}

But be aware that this might pose a security issue if
``$object->__toString()`` returns an unsecure string.

Change-Id: I7c66d3247ffda8f5dc5a03a823f0a05a56ff686b
Fixes: #60069
Releases: master, 2.2, 2.1

  • added
  • modified
  • copied
  • renamed
  • deleted