Ticket #34 (closed enhancement: fixed)

Opened 3 years ago

Last modified 3 years ago

I think we should use the following security settings: escaping-strategy: on & csrf-secret

Reported by: enrique Owned by: jzarate
Priority: major Milestone: 0.1
Component: Keywords: escaping, invoice, crsf, form
Cc: enrique, leo, carlos

Description


Change History

Changed 3 years ago by jzarate

  • owner set to jzarate
  • status changed from new to assigned

Changed 3 years ago by jzarate

r230 csrf protection in invoice editing.

Changed 3 years ago by jzarate

  • cc enrique, leo, carlos added
  • keywords escaping, invoice, crsf, form added
  • status changed from assigned to closed
  • resolution set to fixed

r235 escaping strategy ON.

NOTE TO OTHERS: when including partials, the variables that are passed through the companion array, are also escaped , and that can produce double-escaping sometimes (if you pass a variable which comes from the action and has been already escaped).

it's described here:

http://trac.symfony-project.org/ticket/509

The solution is here:

http://trac.symfony-project.org/ticket/3215

in the particular case of forms, 

<?php echo  $form['inputName'] ?>

when called inside an included php fragment, using a variable passed to it through the companion array, no longer render proper input fields, it escapes them.

the solution is to use the overcharged method render() instead 

<?php echo $form['inputName']->render(ESC_RAW)?>
Note: See TracTickets for help on using tickets.