Opened 3 years ago
Last modified 3 years ago
#53899 new enhancement
Escaping strings and screenshot URL on Themes screen
Reported by: | vishitshah | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Themes | Keywords: | has-patch |
Focuses: | Cc: |
Description
Attachments (1)
Change History (5)
#2
@
3 years ago
Concerning the screenshot URL, if we want to escape late the URL, we'll probably want to do it in the template model too:
<# if ( data.screenshot[0] ) { #> <div class="theme-screenshot"> <img src="{{ data.screenshot[0] }}" alt="" /> </div> <# } else { #> <div class="theme-screenshot blank"></div> <# } #>
Note: See
TracTickets for help on using
tickets.
Thanks for the ticket and patch,
Just noting that the content of
$active_class
is generated by the following code:Therefore, there is no way to anyone one to inject anything in this variable, so the current code seems 100% safe :)