Item14287: Configure needs to encode reported configuration values.
Current State: Closed
Released In: 2.1.3
Target Release: patch
If a configure item contains things like image or other HTML tags, they get rendered in the changed Items report from the extensions installer, and in the before/after report from configure Save wizard.
- 22 Jan 2017
I really don't think this is necessary. If a hacker is able to munge a .spec file and add HTML, then they are able to hack the content of the package and install much evil.
The patch doesn't hurt much, I just don't think there's much point to it.
- 23 Jan 2017 - 15:19
True. I pointed that out. His response was
"other things are risky too" is a really bad counter-argument to a "this thing is generating bogus html"
I do recall ages ago that I was confused by the broken images in the report when I installed the ImagePlugin
, so it is a bit cleaner even if not all that significant.
- 23 Jan 2017