Answer the question
In order to leave comments, you need to log in
D
D
Dokuro2015-09-13 14:08:17
Dokuro, 2015-09-13 14:08:17
VOLT, Phalcon, XSS how to fix?
An example for everyone.
In general, I do not know what crutch to come up with here. Problem:
I'm outputting a post. But before the output, I run the post through the XSS filter built into VOLT: {{ post.message|e }}
But the point is that post.message has MarkDown markup. Which needs to be converted to valid HTML.
The first option is what I do: {{ mark.Down(post.message) }}
But this way you can shove XSS.
I decided to run through the XSS filter before passing post.message to the markDown::parse() function:
{% set post.message = post.message|e %}
<div class="post-text">
{{ markDown.parse(post.message) }}
</div>But for some reason MarkDown markup gets corrupted. (The output is a line processed by MarkDown, but HTML markup tags are also escaped by the filter)
Why is that? Logically, this shouldn't be the case.
The compiled template looks like this:
<?php $post->message = $this->escaper->escapeHtml($post->message); ?>
<div class="post-text">
<?php echo $this->markDown->parse($post->message); ?></p>
</div>My head is already spinning. what's wrong here?
1 answer(s)
Chan @iDokuro
P
Pavel Volintsev, 2015-09-13 Chan @iDokuro
How is markDown initiated? What is it?
And so it works?
{% set post_message = post.message|e %} {# не портить внутренности объекта post #}
<div class="post-text">
{{ markDown.parse(post_message ) }}
</div>
Similar questions
B
E
P
P
T
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question