@tsteur opened this Pull Request on August 7th 2015 Member

fixes #8366

For now I decided to strip tags as it was done in https://github.com/piwik/piwik/commit/4f9f30e653ff22e253e90b0d3797a5831fb259d0#diff-d3148e3bddcfc2a08ca93436357a0a0cR161

What I should mention is that the welcome updater screen uses the raw filter for coreMessage. I presume it could make sense to use the same for both: https://github.com/piwik/piwik/blob/2.14.3/plugins/CoreUpdater/templates/runUpdaterAndExit_welcome.twig#L21

but I'm scared of introducing an XSS or so as I'm not sure what kind of errors there could be. Stripping tags should be the most secure for sure and I'm not sure if formatted output is really needed. The code element could be still quite useful but otherwise it is displayed bold anyway (I could allow code in striptags).

@diosmosis commented on August 20th 2015 Member

I think striptags is ok for 2.15. We shouldn't introduce potential issues in our LTS version anyway.

Hopefully, https://github.com/piwik/piwik/issues/4231 and angular work will allow us to get rid of |raw and |striptags in 3.0.

This Pull Request was closed on August 20th 2015
Powered by GitHub Issue Mirror