Merge branch '3.4' into 4.2
* 3.4: Fix XSS issues in the form theme of the PHP templating engine
This commit is contained in:
commit
91916451a5
@ -11,7 +11,7 @@
|
|||||||
<?php if (count($preferred_choices) > 0): ?>
|
<?php if (count($preferred_choices) > 0): ?>
|
||||||
<?php echo $view['form']->block($form, 'choice_widget_options', ['choices' => $preferred_choices]) ?>
|
<?php echo $view['form']->block($form, 'choice_widget_options', ['choices' => $preferred_choices]) ?>
|
||||||
<?php if (count($choices) > 0 && null !== $separator): ?>
|
<?php if (count($choices) > 0 && null !== $separator): ?>
|
||||||
<option disabled="disabled"><?php echo $separator ?></option>
|
<option disabled="disabled"><?php echo $view->escape($separator) ?></option>
|
||||||
<?php endif ?>
|
<?php endif ?>
|
||||||
<?php endif ?>
|
<?php endif ?>
|
||||||
<?php echo $view['form']->block($form, 'choice_widget_options', ['choices' => $choices]) ?>
|
<?php echo $view['form']->block($form, 'choice_widget_options', ['choices' => $choices]) ?>
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
<?php if (count($errors) > 0): ?>
|
<?php if (count($errors) > 0): ?>
|
||||||
<ul>
|
<ul>
|
||||||
<?php foreach ($errors as $error): ?>
|
<?php foreach ($errors as $error): ?>
|
||||||
<li><?php echo $error->getMessage() ?></li>
|
<li><?php echo $view->escape($error->getMessage()) ?></li>
|
||||||
<?php endforeach; ?>
|
<?php endforeach; ?>
|
||||||
</ul>
|
</ul>
|
||||||
<?php endif ?>
|
<?php endif ?>
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
<?php $method = strtoupper($method) ?>
|
<?php $method = strtoupper($method) ?>
|
||||||
<?php $form_method = $method === 'GET' || $method === 'POST' ? $method : 'POST' ?>
|
<?php $form_method = $method === 'GET' || $method === 'POST' ? $method : 'POST' ?>
|
||||||
<form name="<?php echo $name ?>" method="<?php echo strtolower($form_method) ?>"<?php if ($action !== ''): ?> action="<?php echo $action ?>"<?php endif ?><?php foreach ($attr as $k => $v) { printf(' %s="%s"', $view->escape($k), $view->escape($v)); } ?><?php if ($multipart): ?> enctype="multipart/form-data"<?php endif ?>>
|
<form name="<?php echo $name ?>" method="<?php echo strtolower($form_method) ?>"<?php if ($action !== ''): ?> action="<?php echo $view->escape($action) ?>"<?php endif ?><?php foreach ($attr as $k => $v) { printf(' %s="%s"', $view->escape($k), $view->escape($v)); } ?><?php if ($multipart): ?> enctype="multipart/form-data"<?php endif ?>>
|
||||||
<?php if ($form_method !== $method): ?>
|
<?php if ($form_method !== $method): ?>
|
||||||
<input type="hidden" name="_method" value="<?php echo $method ?>" />
|
<input type="hidden" name="_method" value="<?php echo $view->escape($method) ?>" />
|
||||||
<?php endif ?>
|
<?php endif ?>
|
||||||
|
Reference in New Issue
Block a user