Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not show encoded HTML tags in updater view #8512

Merged
merged 1 commit into from Aug 20, 2015
Merged

Do not show encoded HTML tags in updater view #8512

merged 1 commit into from Aug 20, 2015

Conversation

tsteur
Copy link
Member

@tsteur tsteur commented Aug 7, 2015

fixes #8366

For now I decided to strip tags as it was done in 4f9f30e#diff-d3148e3bddcfc2a08ca93436357a0a0cR161

What I should mention is that the welcome updater screen uses the raw filter for coreMessage. I presume it could make sense to use the same for both: https://github.com/piwik/piwik/blob/2.14.3/plugins/CoreUpdater/templates/runUpdaterAndExit_welcome.twig#L21

but I'm scared of introducing an XSS or so as I'm not sure what kind of errors there could be. Stripping tags should be the most secure for sure and I'm not sure if formatted output is really needed. The code element could be still quite useful but otherwise it is displayed bold anyway (I could allow code in striptags).

@tsteur tsteur added not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. Needs Review PRs that need a code review labels Aug 7, 2015
@tsteur tsteur added this to the 2.15.0 milestone Aug 7, 2015
@diosmosis
Copy link
Member

I think striptags is ok for 2.15. We shouldn't introduce potential issues in our LTS version anyway.

Hopefully, #4231 and angular work will allow us to get rid of |raw and |striptags in 3.0.

diosmosis added a commit that referenced this pull request Aug 20, 2015
@diosmosis
Merge pull request #8512 from piwik/8366
32542af 
Do not show encoded HTML tags in updater view error and warning messages.
@diosmosis diosmosis merged commit 32542af into master Aug 20, 2015
@diosmosis diosmosis deleted the 8366 branch August 20, 2015 23:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Needs Review PRs that need a code review not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Projects
None yet
Milestone
2.15.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tsteur @diosmosis