Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Docs] Add note / warning of not using escape html settingl / modifier #865

Closed
ampmonteiro opened this issue Mar 6, 2023 · 0 comments
Closed

[Docs] Add note / warning of not using escape html settingl / modifier #865

ampmonteiro opened this issue Mar 6, 2023 · 0 comments

Comments

@ampmonteiro
Copy link

ampmonteiro commented Mar 6, 2023
edited
Loading

Hi
in sequence of issue #863 .

I recommend that some pages / areas of the docs of v3 and v4, and even in future versions, should be updated with some kind of note / warning of not using or not be on the escape_html or $smarty->default_modifiers without a this option: ['escape:"htmlall"'] in order to help to prevent XSS attacks and use security good practice.

Example of some pages / areas in v4 docs:

  • Getting started page
  • in designers > language-basic-syntax > Introduction page
  • in designers > language-variables > Introduction page
  • in designers > language-modifiers > Introduction page
  • in designers language-modifiers > Introduction page
  • in designers language-modifiers > escape page
  • in designers language-modifiers > unescape page
  • in programmers > intro
  • programmers/api-variables/variable-escape-html page
@ampmonteiro ampmonteiro changed the title [DOCS] Add note / warning about escape html / modifier [Docs] Add note / warning about escape html / modifier Mar 6, 2023
@ampmonteiro ampmonteiro changed the title [Docs] Add note / warning about escape html / modifier [Docs] Add note / warning of not using escape html / modifier Mar 6, 2023
@ampmonteiro ampmonteiro changed the title [Docs] Add note / warning of not using escape html / modifier [Docs] Add note / warning of not using escape htm settingl / modifier Mar 6, 2023
@ampmonteiro ampmonteiro changed the title [Docs] Add note / warning of not using escape htm settingl / modifier [Docs] Add note / warning of not using escape html settingl / modifier Mar 6, 2023
@wisskid wisskid closed this as completed in 3fff081 Feb 2, 2024
wisskid added a commit that referenced this issue Feb 5, 2024
@wisskid
Explain escaping and auto-escaping in the docs.
63ff7d8 
Fixes #865
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ampmonteiro