Skip to content

[Notifications] Escape HTML in destUrl and fileName

Kai Uwe Broulik requested to merge work/kbroulik/noti-escape-html into master

Ensures that a file or destination named <h1>foo.txt doesn't break the layout.

It still goes through the normal HTML text filter, so remote file access isn't possible, merely screwing up the layout.


gonna make a dedicated patch for 5.21 as !626 (merged) changed between 5.21 and master

Merge request reports

Loading