Bug #60082: Backport: Objects cast to string are not escaped - Core - TYPO3 Forge

Core Indexed Search Linkvalidator Release Cycles Team Resources Workspaces & Versioning TYPO3 CMS Usability Team Community Extensions Distributions Feature-Requests TYPO3 6.2 Projects (+)(Archived Projects)

Bug #60082

Backport: Objects cast to string are not escaped

Added by Philipp Maier about 1 year ago. Updated 11 months ago.

Status:

New

Start date:

2014-07-03

Priority:

Must have

Due date:

Assigned To:

% Done:

Category:

Fluid

Spent time:

Target version:

TYPO3 Version:

6.2

Is Regression:

PHP Version:

Sprint Focus:

Complexity:

easy

Description

Basically if you have a class like this:

class HelloWorld {
public function __toString() { return '<script>alert("hello world");</script>' }
}

and you assign it as a fluid variable like this:

$this->view->assign('helloworld', new HelloWorld());

and have a template like this:

{helloworld}

you're going to have a bad time.

------
Copied over from the Flow Bug Tracker: http://forge.typo3.org/issues/60069

Related issues

History

#1 Updated by Stefan Neufeind about 1 year ago

Meanwhile merged in TYPO3.Fluid - needs a backport.

#2 Updated by Alexander Opitz 11 months ago

Project changed from Fluid to Core
Subject changed from Objects cast to string are not escaped to Backport: Objects cast to string are not escaped
Category changed from Fluid: ViewHelpers to Fluid
Target version deleted (~~next-patchlevel~~)
TYPO3 Version set to 6.2
Is Regression set to No

Also available in: Atom PDF

Core

Issues

Custom queries

Watchers (2)

Bug #60082

Backport: Objects cast to string are not escaped

History

#1 Updated by Stefan Neufeind about 1 year ago

#2 Updated by Alexander Opitz 11 months ago