Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 41e9ec3

Browse filesBrowse files
nicolas-grekasnicolas-grekas
committed
security #cve-2019-10909 [FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine (stof)
This PR was merged into the 2.8 branch. Discussion ---------- [FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine Based on #88 Commits ------- f7c95b4cd5 Fix XSS issues in the form theme of the PHP templating engine
1 parent 63eda69 commit 41e9ec3
Copy full SHA for 41e9ec3

File tree

Expand file treeCollapse file tree

3 files changed

+4
-4
lines changed
Filter options
Expand file treeCollapse file tree

3 files changed

+4
-4
lines changed

‎src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/choice_widget_collapsed.html.php

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/choice_widget_collapsed.html.php
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
<?php if (count($preferred_choices) > 0): ?>
1212
<?php echo $view['form']->block($form, 'choice_widget_options', array('choices' => $preferred_choices)) ?>
1313
<?php if (count($choices) > 0 && null !== $separator): ?>
14-
<option disabled="disabled"><?php echo $separator ?></option>
14+
<option disabled="disabled"><?php echo $view->escape($separator) ?></option>
1515
<?php endif ?>
1616
<?php endif ?>
1717
<?php echo $view['form']->block($form, 'choice_widget_options', array('choices' => $choices)) ?>

‎src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/form_errors.html.php

Copy file name to clipboard
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
<?php if (count($errors) > 0): ?>
22
<ul>
33
<?php foreach ($errors as $error): ?>
4-
<li><?php echo $error->getMessage() ?></li>
4+
<li><?php echo $view->escape($error->getMessage()) ?></li>
55
<?php endforeach; ?>
66
</ul>
77
<?php endif ?>

‎src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/form_start.html.php

Copy file name to clipboard
+2-2Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
<?php $method = strtoupper($method) ?>
22
<?php $form_method = $method === 'GET' || $method === 'POST' ? $method : 'POST' ?>
3-
<form name="<?php echo $name ?>" method="<?php echo strtolower($form_method) ?>"<?php if ($action !== ''): ?> action="<?php echo $action ?>"<?php endif ?><?php foreach ($attr as $k => $v) { printf(' %s="%s"', $view->escape($k), $view->escape($v)); } ?><?php if ($multipart): ?> enctype="multipart/form-data"<?php endif ?>>
3+
<form name="<?php echo $name ?>" method="<?php echo strtolower($form_method) ?>"<?php if ($action !== ''): ?> action="<?php echo $view->escape($action) ?>"<?php endif ?><?php foreach ($attr as $k => $v) { printf(' %s="%s"', $view->escape($k), $view->escape($v)); } ?><?php if ($multipart): ?> enctype="multipart/form-data"<?php endif ?>>
44
<?php if ($form_method !== $method): ?>
5-
<input type="hidden" name="_method" value="<?php echo $method ?>" />
5+
<input type="hidden" name="_method" value="<?php echo $view->escape($method) ?>" />
66
<?php endif ?>

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.