Development

#401 (no escaping on metas or title)

You must first sign up to be able to contribute.

Ticket #401 (closed defect: fixed)

Opened 2 years ago

Last modified 4 months ago

no escaping on metas or title

Reported by: pookey@pookey.co.uk Assigned to:
Priority: major Milestone: 1.1.0
Component: view Version:
Keywords: Cc: Simone.Carletti
Qualification: Design decision

Description

Mike Squire and Paul Lomax have pointed out that there is no escaping of metas and titles in sfWebResponse. They provided me with a patch...

Change History

04/06/06 14:05:16 changed by pookey

see r1128 in my branch

04/06/06 15:10:54 changed by Paul Lomax

The patch applies htmlentities to items added to the head (meta and title) unless specifically turned off by the user in an action. The responsibility of escaping is on the developer inside the view.yml, the reasoning being that adding the parameter will make the syntax more complex and unintuitive and the worst that can happen is that the page doesn't validate properly (it won't be cross-site-scriptable).

04/07/06 11:28:25 changed by fabien

  • status changed from new to closed.
  • resolution set to fixed.

fixed in r1143.

03/02/07 08:33:38 changed by Alexey.Kirpichnikov

  • status changed from closed to reopened.
  • resolution deleted.
  • component set to view.

Please, consider replacing htmlentities() with htmlspecialchars() everywhere in the code, because htmlentities() converts every non-ASCII symbol into HTML entity. It is certainly not good for all non-latin languages, e.g. Russian.

Metas and titles look like жопа ....

This confuses some search engines. This increases the page size. This spoils the HTML source. This is simply not right.

See also #1488

12/14/07 18:20:41 changed by Simone.Carletti

  • cc set to Simone.Carletti.
  • qualification set to Unreviewed.

12/20/07 14:04:49 changed by markng

  • qualification changed from Unreviewed to Design decision.

in Symfony 1.1, #1488 has been fixed, but this addMeta in sfWebResponse still just uses htmlentities. Should this just be changed to htmlspecialchars, or should this be a config entry or just use the applications default escaping strategy ?

12/20/07 14:37:31 changed by markng

#2697 now contains details about escaping strategy decisions

02/08/08 23:50:24 changed by dwhittle

Is there any conclusion here? We are now escaping values of meta tags..

03/15/08 13:35:24 changed by fabien

  • status changed from reopened to closed.
  • resolution set to fixed.
  • milestone set to 1.1.0.

in r7899