Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Console] Allow OutputFormatter::escape() to be used for escaping URLs used in <href>#44912

Merged
fabpot merged 1 commit into
symfony:4.4from
Seldaek:patch-18
Jan 7, 2022
Merged

[Console] Allow OutputFormatter::escape() to be used for escaping URLs used in <href>#44912
fabpot merged 1 commit into
symfony:4.4from
Seldaek:patch-18

Conversation

@Seldaek
Copy link
Copy Markdown
Member

@Seldaek Seldaek commented Jan 5, 2022
edited
Loading

Q A
Branch? 4.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #...
License MIT
Doc PR symfony/symfony-docs#...

I was trying to use escape() to make user-provided URLs safe in <href=...> but I realized it was really only good for avoid starting tags, and not for escaping the content of a tag.

  • escape() now escapes > as well as <
  • URLs containing escaped <, > are now rendered correctly
  • user-provided URLs should now be safe to use (as in they cannot break the formatting) as long as they're piped through escape()
  • possibly also resolves issues if you were trying to use user-provided colors i.e. '<'.OutputFormatter::escape($color).'>' where as in current released code it would not help you at all here. I haven't checked that yet

I am happy to spend time adding tests but would like to first get feedback on the changes to know if it's reasonable or not to change escape() in this way.

The rest of the changes I think are absolutely safe to merge and make sense regardless.

@carsonbot
Copy link
Copy Markdown

carsonbot commented Jan 5, 2022

Hey!

To help keep things organized, we don't allow "Draft" pull requests. Could you please click the "ready for review" button or close this PR and open a new one when you are done?

Note that a pull request does not have to be "perfect" or "ready for merge" when you first open it. We just want it to be ready for a first review.

Cheers!

Carsonbot

@stof
Copy link
Copy Markdown
Member

stof commented Jan 5, 2022

I would say that this makes sense (but it indeed needs tests covering it)

@Seldaek Seldaek marked this pull request as ready for review January 5, 2022 11:45
@Seldaek Seldaek requested a review from chalasr as a code owner January 5, 2022 11:45
@carsonbot carsonbot added this to the 4.4 milestone Jan 5, 2022
@Seldaek
Copy link
Copy Markdown
Member Author

Seldaek commented Jan 6, 2022

OK added tests to cover the new functionality and fixed existing ones 👍🏻

fabpot
fabpot reviewed Jan 7, 2022
View reviewed changes
Comment thread src/Symfony/Component/Console/Formatter/OutputFormatter.php
@Seldaek Seldaek force-pushed the patch-18 branch 2 times, most recently from 08dc2bd to 61f06fa Compare January 7, 2022 08:38
@Seldaek
Allow OutputFormatter::escape() to be used for escaping URLs used in …
cfa8910 
…<href>

- escape() now escapes `>` as well as `<`
- URLs containing escaped `<` and `>` are rendered correctly as is
- user-provided URLs should now be safe to use (as in they cannot break the formatting) as long as they're piped through `escape()`
@fabpot
Copy link
Copy Markdown
Member

fabpot commented Jan 7, 2022

Thank you @Seldaek.

@fabpot fabpot merged commit 29843b3 into symfony:4.4 Jan 7, 2022
This was referenced Jan 28, 2022
Merged
Merged
Merged
Merged
This was referenced Jan 29, 2022
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fabpot fabpot fabpot approved these changes

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees

No one assigned

Labels

Bug Console Status: Reviewed

Projects

None yet

Milestone

4.4

Development

Successfully merging this pull request may close these issues.

4 participants

@Seldaek @carsonbot @stof @fabpot