Fixed Unescaped phrase in \XF\Template\Templater::getDataRowCell()

[Kirby]

Affected version

2.1.0 Beta 2

Phrase delete is not escaped when used in \XF\Template\Templater::getDataRowCell() for a title attribute.

if (!$tooltip)
{
    $tooltip = \XF::phrase('delete');
}
$html = "<a href=\"{$href}\" class=\"iconic iconic--delete dataList-delete\" data-xf-init=\"tooltip\" title=\"{$tooltip}\" data-xf-click=\"overlay\"{$target}><i aria-hidden=\"true\"></i></a>";

 

[Mike]

This is the second time I noticed this, so wondering if there's another bug here: there's a missing :p in your code. That is a smilie so that could be relevant, though I don't think it should normally be converted...

 

[Kirby]

This was a direct copy & paste of the relevant code, so the :p was definitly there.

Happened here as well:

Fixed - Unescaped phrase in \XF\Template\Templater::fnDisplayTotals()

Phrase there_are_x_items_in_total is not escaped when used in \XF\Template\Templater::fnDisplayTotals() for a title attribute. return '' . \XF::phrase($phrase, $params) . '';

xenforo.com

 

[Chris D]

Which XF version did you get the code from in your first post?

This was fixed in XF 2.0.10 after you reported this in another report.

if (!$tooltip)
{
   $tooltip = \XF::phrase('delete');
}
$tooltip = $this->filterForAttr($this, $tooltip, $null);
$html = "<a href=\"{$href}\" class=\"dataList-delete\" data-xf-init=\"tooltip\" title=\"{$tooltip}\" data-xf-click=\"overlay\"{$target}></a>";

 

[Kirby]

XF 2.1.0 Beta 2 Templater.php (72464e70a743063e0eab209898748358c36961dc95751e1a584f15888677d157) line 6377-6381

It is fixed in lines 6600-6605 though.

 

[Chris D]

There seems to have been some merging conflict at some point so I was looking at some sort of duplicative method.