For now I decided to strip tags as it was done in https://github.com/piwik/piwik/commit/4f9f30e653ff22e253e90b0d3797a5831fb259d0#diff-d3148e3bddcfc2a08ca93436357a0a0cR161
What I should mention is that the welcome updater screen uses the
raw filter for
coreMessage. I presume it could make sense to use the same for both: https://github.com/piwik/piwik/blob/2.14.3/plugins/CoreUpdater/templates/runUpdaterAndExit_welcome.twig#L21
but I'm scared of introducing an XSS or so as I'm not sure what kind of errors there could be. Stripping tags should be the most secure for sure and I'm not sure if formatted output is really needed. The
code element could be still quite useful but otherwise it is displayed bold anyway (I could allow
striptags is ok for 2.15. We shouldn't introduce potential issues in our LTS version anyway.
Hopefully, https://github.com/piwik/piwik/issues/4231 and angular work will allow us to get rid of
|striptags in 3.0.