I was checking the validity of my project's HTML and noticed that some things weren't being escaped properly. After investigating, I discovered the problems were in certain places where I am outputting an array with string keys.
Basically, in my code I am doing this: // Action $this->foo = array('<<' => 'bbb', '1' => 'aaa', '2' => 'bbb', '3' => null, '4' => 'ddd', '>>' => 'ddd'); // Template <?php foreach($foo as $k => $v) ?> <a href="<?php echo $v; ?>"><?php echo $k; ?></a> <?php } ?> The $foo template value, being an array, obviously gets converted to an instance of sfOutputEscaperArrayDecorator. But, I discovered that sfOutputEscaperArrayDecorator does not apply any escaping to keys, but only values! So where, as I am doing, you are iterating over the array and want to output both value *and* key, you get broken HTML where your keys happen to contain special characters. Is there any particular reason why sfOutputEscaperArrayDecorator doesn't escape keys? -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to symfony-users@googlegroups.com To unsubscribe from this group, send email to symfony-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en