Fixed Unescaped phrase in \XF\Template\Templater::fnDisplayTotals()

K

Kirby

Well-known member
Affected version
2.1.0 Beta 2
Phrase there_are_x_items_in_total is not escaped when used in \XF\Template\Templater::fnDisplayTotals() for a title attribute.

PHP: 
return '<span class="js-displayTotals" data-count="' . $count . '" data-total="' . $total . '"'
    . ' data-xf-init="tooltip" title="' . \XF::phrase('there_are_x_items_in_total', ['total' => $params['total']]) . '">'
    . \XF::phrase($phrase, $params) . '</span>';
 
Thank you for reporting this issue. The issue is now resolved and we are aiming to include that in a future XF release (2.0.12).

Change log:
Ensure usage of phrase within HTML attribute is escaped.
Click to expand...
Any changes made as a result of this issue being resolved may not be rolled out here until later.
 

Similar threads

FoxSecrets
  • Question Question
XF 2.2 Get rid of [Exception] Could not find class \XF\Template\Templater when attempting to extend XF\Template\Templater
Replies
1
Views
54
FoxSecrets
FoxSecrets
gigipmc
XF 2.2 XF\Template\Templater::filterReplace() redundant code?
Replies
0
Views
24
gigipmc
gigipmc
pegasus
Fixed Template compile error when entity is missing Master Phrase relation
Replies
1
Views
141
XF Bug Bot
XF Bug Bot
X
Duplicate Leftover debug code in XF\Template\Compiler\Tag\SubmitRow
Replies
1
Views
97
Jeremy P
Jeremy P
B
  • Locked
XF 2.2 php 8.1 [E_WARNING] Undefined property: SV\StandardLib\XF\Template\Templater::$options
Replies
1
Views
612
duderuud
duderuud
Back
Top Bottom