I was checking the validity of my project's HTML and noticed that some
things weren't being escaped properly. After investigating, I
discovered the problems were in certain places where I am outputting
an array with string keys.
Basically, in my code I am doing this:
// Action
$this->foo = array('<<' => 'bbb', '1' => 'aaa', '2' => 'bbb', '3' =>
null, '4' => 'ddd', '>>' => 'ddd');
// Template
<?php foreach($foo as $k => $v) ?>
<a href="<?php echo $v; ?>"><?php echo $k; ?></a>
<?php } ?>
The $foo template value, being an array, obviously gets converted to
an instance of sfOutputEscaperArrayDecorator. But, I discovered that
sfOutputEscaperArrayDecorator does not apply any escaping to keys, but
only values! So where, as I am doing, you are iterating over the array
and want to output both value *and* key, you get broken HTML where
your keys happen to contain special characters.
Is there any particular reason why sfOutputEscaperArrayDecorator
doesn't escape keys?
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to symfony-users@googlegroups.com
To unsubscribe from this group, send email to
symfony-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
