Bugzilla – Bug 11265
Slim/Utils/MemoryUsage -- incomplete logic for escape_html()
Last modified: 2009-07-29 14:59:01 UTC
Created attachment 4889 [details] patch to add escaping of quote and apostrophe If only there were a contest for the most pedantic bug report, this would surely be in the running... I just modified some of my plugins to no longer rely on CGI.pm. Looking for alternative providers of the few methods I needed, I discovered that Slim::Utils::MemoryUsage::escape_html escapes only <, >, and & characters. It probably ought to also escape " and ' characters. It appears that only MemoryUsage.pm relies on this routine, and its incompleteness appears to be harmless, so long as nobody else grabs that code and uses it in a place where they need it to prevent text from breaking out of quotation marks, as when embedding text in the attribute of an HTML element.
Andy, does this seem like a safe change to you?
Sure.
We are now planning to make a 7.3.3 release. Please review your bugs (all marked open against 7.3.3) to see if they can be fixed in the next few weeks, or if they should be retargeted for 7.4 or future. Thanks!
Since there's now a planned 7.3.3 release, bugs which won't make the cut-off are being moved to the next target out. If you feel that this bug needs to be addressed more (or less) urgently than the 7.4 release, please cc chris@slimdevices.com and leave a comment in the bug to that effect so we can review it. Thanks.
For some reason Bugzilla did not change the target when I did this yesterday. Or maybe it was me. In either case, I'm trying it again.
Moving 7.4 bugs to 8.0.