Bug #60082
Backport: Objects cast to string are not escaped
Status: | New | Start date: | 2014-07-03 | |
---|---|---|---|---|
Priority: | Must have | Due date: | ||
Assigned To: | - | % Done: | 0% |
|
Category: | Fluid | Spent time: | - | |
Target version: | - | |||
TYPO3 Version: | 6.2 | Is Regression: | No | |
PHP Version: | Sprint Focus: | |||
Complexity: | easy |
Description
Basically if you have a class like this:
class HelloWorld {
public function __toString() { return '<script>alert("hello world");</script>' }
}
and you assign it as a fluid variable like this:
$this->view->assign('helloworld', new HelloWorld());
and have a template like this:
{helloworld}
you're going to have a bad time.
------
Copied over from the Flow Bug Tracker: http://forge.typo3.org/issues/60069
Related issues
History
#1 Updated by Stefan Neufeind about 1 year ago
Meanwhile merged in TYPO3.Fluid - needs a backport.
#2 Updated by Alexander Opitz 11 months ago
- Project changed from Fluid to Core
- Subject changed from Objects cast to string are not escaped to Backport: Objects cast to string are not escaped
- Category changed from Fluid: ViewHelpers to Fluid
- Target version deleted (
next-patchlevel) - TYPO3 Version set to 6.2
- Is Regression set to No