@tsteur opened this issue on June 24th 2015

Just in case an exception that is displayed there contains any user input

@mattab commented on June 25th 2015

Looks good to me

@mattab commented on June 25th 2015

Actually there is a regression where we lose the bold message in: http://builds-artifacts.piwik.org/ui-tests.master/13711.7/UIIntegrationTest_db_connect_error - we need to strip_tags and remove <br> only when in CLI

@tsteur commented on June 25th 2015

we need to strip_tags and remove only when in CLI

Then htmlentites would escape them and the html would be visible. Looking deeper at the code this method Piwik_GetErrorMessagePage is only used in 2 or 3 parts and the one that contains user input is kinda escaped before already (https://github.com/piwik/piwik/blob/2.14.0-b10/core/ExceptionHandler.php#L70-L72) and doc block says @param string $message Main message, must be html encoded before calling

This issue was closed on June 26th 2015
Powered by GitHub Issue Mirror