Bug #27789
Escape Post content
| Status: | New | Start date: | 2011-06-30 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assigned To: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - |
Description
Currently the post content is outputted with the raw view helper disabling the EscapeInterceptor that applies htmlspecialchars() on the content.
This should be avoided in order to prevent XSS attacks!
Probably this was added to be able to create "rich text" posts.
I'd suggest to add a simple format.mediaWiki view helper (either with the Blog package or even with Fluid) that transforms wiki syntax to (X)HTML.
Comments?
History
#1 Updated by Bastian Waidelich about 4 years ago
- Priority changed from Must have to Should have