Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
minor #2452 Strip HTML tags from flash messages (javiereguiluz)
This PR was merged into the 1.x branch. Discussion ---------- Strip HTML tags from flash messages This is an alternative to #2439. I've been thinking about this and I think @xabbuh is right in his #2439 comments. We use `|raw` a lot in our templates ... but it's always for content 100% generated by you (form field helps, translations, etc.) But "flash messages" could contain contents generated by user (not probably, but not impossible). So, as anything related to security, let's play safe and let's not display flash messages as `|raw`. Instead, this PR applies the `|striptags` filter so flash messages look great if they contain HTML tags (users don't want to see the escaped HTML tags). If some app must absolutely display HTML tags, the solution is to override the default template (as explained in https://symfony.com/doc/master/bundles/EasyAdminBundle/book/list-search-show-configuration.html#advanced-design-configuration). Commits ------- 72bb73b Strip HTML tags from flash messages
- Loading branch information