NOTE: Had to add the risky
|raw to the item.comment, which may have security risks if some of the "Informational" diagnostics will contain random content that may be injectable by someone or the system. Maybe we should audit all informational diagnostics?
Here is what it looks like:
@mattab Actually it seems all other informational results are handled using this method:
So maybe we could add some kind of html escaping there, to prevent any injection coming from server configuration variables or HTTP headers.
Sounds good @sgiehl - unfortunately i won't have time to finish the work on this so maybe someone can do it :see_no_evil:
We can look into this eventually as part of 4.4 release
If we escape the comment we won't be able to put the link in, correct? We could accomplish the same thing w/ another variable that's meant to not contain unsafe input (eg,
@diosmosis I've rebased the branch and updated it so comments for informational items are escaped by default. Even though it currently seems unneeded, there is a new parameter to disable that.