The HTML escaper's call to htmlspecialchars sets the "double_encode" option to false. In theory, this is a good thing, because you wouldn't want to mistakenly escape the same text twice. But in practice, I think it amounts to a bug, because htmlspecialchars can never truly know whether the string has been escaped before.
For example: $message = 'This message is for a web forum, and I want to tell someone that the HTML entity for the copyright symbol is ©.'; echo $view->escape($message); I would expect the entity to be escaped, but PHP sees the entity and thinks it's been escaped before, so the string is returned unchanged. The "double_encode" option doesn't seem reliable, and I don't think Symfony should use it. -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
