You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
With unlimited HTML: when the grid column is created with the anyhtml flag, all HTML is dumped in without escaping. (This should be used very cautiously!)
(I was tempted to add "limited HTML", but I don't think we have a use case for that.)
There shouldn't be any need for an unescape call in linkActionButton.tpl -- it only confuses things. For example, applying a strip_unsafe_html before an unescape gives the impression that escaping is handled, but if the incoming label is already HTML, the filtering won't be applied (as expected)!
Describe the bug
The series of escaping, filtering and unescaping in/around
pkp-lib/templates/linkAction/linkActionButton.tpl
Line 30 in a618dbe
This follows from #2564.
Callers should be able to pass content into this template (via instantiation of the LinkAction object and subclasses) in one of three ways:
anyhtml
flag, all HTML is dumped in without escaping. (This should be used very cautiously!)There shouldn't be any need for an
unescape
call inlinkActionButton.tpl
-- it only confuses things. For example, applying astrip_unsafe_html
before anunescape
gives the impression that escaping is handled, but if the incoming label is already HTML, the filtering won't be applied (as expected)!PRs
Stable-3.4.0
pkp-lib --> #9331
ojs --> pkp/ojs#4048 [TEST ONLY]
The text was updated successfully, but these errors were encountered: