Fixed Unescaped phrase in \XF\Template\Templater::fnDisplayTotals()

K

Kirby

Well-known member
Affected version
2.1.0 Beta 2
Phrase there_are_x_items_in_total is not escaped when used in \XF\Template\Templater::fnDisplayTotals() for a title attribute.

PHP: 
return '<span class="js-displayTotals" data-count="' . $count . '" data-total="' . $total . '"'
    . ' data-xf-init="tooltip" title="' . \XF::phrase('there_are_x_items_in_total', ['total' => $params['total']]) . '">'
    . \XF::phrase($phrase, $params) . '</span>';
 
Thank you for reporting this issue. The issue is now resolved and we are aiming to include that in a future XF release (2.0.12).

Change log:
Ensure usage of phrase within HTML attribute is escaped.
Click to expand...
Any changes made as a result of this issue being resolved may not be rolled out here until later.
 

Similar threads

Osman
Fixed Cookie storage does not work
Replies
2
Views
356
XF Bug Bot
XF Bug Bot
pegasus
Fixed Template compile error when entity is missing Master Phrase relation
Replies
1
Views
127
XF Bug Bot
XF Bug Bot
SuperZambezi
  • Question Question
RM 2.2 Captcha Requirement for Downloads
Replies
0
Views
599
SuperZambezi
SuperZambezi
JesseUCAVedYou
XF 2.2 Trigger FlashMessage Inline
Replies
2
Views
222
JesseUCAVedYou
JesseUCAVedYou
kirsty
XF 2.2 Passing attributes to a class widget?
Replies
1
Views
153
kirsty
kirsty
Top Bottom