Skip to content

Commit

Permalink
minor #2452 Strip HTML tags from flash messages (javiereguiluz)
Browse files Browse the repository at this point in the history
This PR was merged into the 1.x branch.

Discussion
----------

Strip HTML tags from flash messages

This is an alternative to #2439. I've been thinking about this and I think @xabbuh is right in his #2439 comments.

We use `|raw` a lot in our templates ... but it's always for content 100% generated by you (form field helps, translations, etc.) But "flash messages" could contain contents generated by user (not probably, but not impossible).

So, as anything related to security, let's play safe and let's not display flash messages as `|raw`. Instead, this PR applies the `|striptags` filter so flash messages look great if they contain HTML tags (users don't want to see the escaped HTML tags).

If some app must absolutely display HTML tags, the solution is to override the default template (as explained in https://symfony.com/doc/master/bundles/EasyAdminBundle/book/list-search-show-configuration.html#advanced-design-configuration).

Commits
-------

72bb73b Strip HTML tags from flash messages
  • Loading branch information
javiereguiluz committed Nov 29, 2018
2 parents 8cc2d0e + 72bb73b commit 5111f7c
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/Resources/views/default/flash_messages.html.twig
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
{% for label, messages in app.session.flashbag.all %}
{% for message in messages %}
<div class="alert alert-{{ label }}">
{{ message|trans }}
{{ message|trans|striptags }}
</div>
{% endfor %}
{% endfor %}
Expand Down

0 comments on commit 5111f7c

Please sign in to comment.