User tests: Successful: Unsuccessful:
Some code simplification.
Open any form containing a switcher field.
Inspect the switcher.
Works like before.
No.
Status | New | ⇒ | Pending |
Category | ⇒ | Layout |
I have tested this item
Status | Pending | ⇒ | Ready to Commit |
RTC
Labels |
Added:
?
?
|
I am not sure about this
The simplification of the sanitization of the value seems wrong to me. If I read this correctly (I might not be) instead of the htmpspecialchars and utf8 checks it is being restricted to the basic string. Which i think would prevent utf8 characters etc.
@brianteeman It's still using htmlspecialchars()
with UTF-8
encoding:
joomla-cms/libraries/src/Layout/BaseLayout.php
Lines 117 to 120 in 5e137db
Isnt that taking place after you have already reduced it to a string?
Actually it appears to already be a string so another cast isn't even necessary:
It makes no difference anyways.
htmlspecialchars
will only work with a string - so it must already have been a string when escaped so pretty sure the string conversion is fine.
Moving to the escape function is probably good because it's using ENT_QUOTES
rather than ENT_COMPAT
which I guess might be usable for some sort of XSS attack if single quotes aren't encoded.
All in all having looked I think the proposed change there is fine. Although thankyou for flagging it when you were unsure!
Status | Ready to Commit | ⇒ | Fixed in Code Base |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-06-07 12:55:08 |
Closed_By | ⇒ | wilsonge | |
Labels |
I have tested this item✅ successfully on 2d60713
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29370.