[HttpKernel] hinclude fragment renderer must escape URIs properly to return valid html #7090
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…return valid html
|
Will it works correct when |
|
if your url comes form the routing, yes. It does not rely on the default separator to avoid issues when the separator is configured to |
|
Can you include the proper PR header in the description? Thanks. |
|
Added. |
fabpot
added a commit
that referenced
this pull request
Feb 20, 2013
This PR was merged into the 2.2 branch. Commits ------- 54d7d25 [HttpKernel] hinclude fragment renderer must escape URIs properly to return valid html Discussion ---------- [HttpKernel] hinclude fragment renderer must escape URIs properly to return valid html | Q | A | ------------- | --- | Bug fix? | [yes] | New feature? | [no] | BC breaks? | [no] | Deprecations? | [no] | Tests pass? | [yes] | Fixed tickets | [-] | License | MIT | Doc PR | [-] Since rendering of hinclude fragments returns html/xml, it is marked as safe. So it's not auto-escaped of course. But that means it must properly escape it's input (the URI) when outputting in html context. Btw, this does not need to be done for esi because esi tags are processed in middleware which do not go to the client/browser. --------------------------------------------------------------------------- by Koc at 2013-02-15T22:59:05Z Will it works correct when `arg_separator.output="&"`? --------------------------------------------------------------------------- by stof at 2013-02-15T23:04:01Z if your url comes form the routing, yes. It [does not rely on the default separator](https://github.com/symfony/Routing/blob/master/Generator/UrlGenerator.php#L265) to avoid issues when the separator is configured to ``&`` as it would have been escaped again in Twig templates for instance. --------------------------------------------------------------------------- by fabpot at 2013-02-16T07:26:19Z Can you include the proper PR header in the description? Thanks. --------------------------------------------------------------------------- by Tobion at 2013-02-16T12:28:18Z Added.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Since rendering of hinclude fragments returns html/xml, it is marked as safe. So it's not auto-escaped of course. But that means it must properly escape it's input (the URI) when outputting in html context.
Btw, this does not need to be done for esi because esi tags are processed in middleware which do not go to the client/browser.