Skip to content

[Console] Allow OutputFormatter::escape() to be used for escaping URLs used in <href> #44912

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 7, 2022
Merged

[Console] Allow OutputFormatter::escape() to be used for escaping URLs used in <href> #44912

merged 1 commit into from
Jan 7, 2022

Conversation

Seldaek
Copy link
Member

@Seldaek Seldaek commented Jan 5, 2022
edited
Loading

Q A
Branch? 4.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #...
License MIT
Doc PR symfony/symfony-docs#...

I was trying to use escape() to make user-provided URLs safe in <href=...> but I realized it was really only good for avoid starting tags, and not for escaping the content of a tag.

  • escape() now escapes > as well as <
  • URLs containing escaped <, > are now rendered correctly
  • user-provided URLs should now be safe to use (as in they cannot break the formatting) as long as they're piped through escape()
  • possibly also resolves issues if you were trying to use user-provided colors i.e. '<'.OutputFormatter::escape($color).'>' where as in current released code it would not help you at all here. I haven't checked that yet

I am happy to spend time adding tests but would like to first get feedback on the changes to know if it's reasonable or not to change escape() in this way.

The rest of the changes I think are absolutely safe to merge and make sense regardless.

@carsonbot
Copy link

Hey!

To help keep things organized, we don't allow "Draft" pull requests. Could you please click the "ready for review" button or close this PR and open a new one when you are done?

Note that a pull request does not have to be "perfect" or "ready for merge" when you first open it. We just want it to be ready for a first review.

Cheers!

Carsonbot

@stof
Copy link
Member

stof commented Jan 5, 2022

I would say that this makes sense (but it indeed needs tests covering it)

@Seldaek Seldaek marked this pull request as ready for review January 5, 2022 11:45
@Seldaek Seldaek requested a review from chalasr as a code owner January 5, 2022 11:45
@carsonbot carsonbot added this to the 4.4 milestone Jan 5, 2022
@Seldaek
Copy link
Member Author

Seldaek commented Jan 6, 2022

OK added tests to cover the new functionality and fixed existing ones 👍🏻

@Seldaek Seldaek force-pushed the patch-18 branch 2 times, most recently from 08dc2bd to 61f06fa Compare January 7, 2022 08:38
@Seldaek
Allow OutputFormatter::escape() to be used for escaping URLs used in …
cfa8910 
…<href>

- escape() now escapes `>` as well as `<`
- URLs containing escaped `<` and `>` are rendered correctly as is
- user-provided URLs should now be safe to use (as in they cannot break the formatting) as long as they're piped through `escape()`
@fabpot
Copy link
Member

fabpot commented Jan 7, 2022

Thank you @Seldaek.

@fabpot fabpot merged commit 29843b3 into symfony:4.4 Jan 7, 2022
This was referenced Jan 28, 2022
Merged
Merged
Merged
Merged
This was referenced Jan 29, 2022
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
Bug Console Status: Reviewed
Projects
None yet
Milestone
4.4
Development

Successfully merging this pull request may close these issues.
4 participants
@Seldaek @carsonbot @stof @fabpot