[Flow] [ANN] TYPO3 Flow 3.0.0beta1 released
Bastian Waidelich
bastian at typo3.org
Tue Mar 10 15:01:37 CET 2015
On 09.03.15, at 12:13, Mira Frei wrote:
Hi,
> $this->addFlashMessage('Please check <i>Name</i>, <i>Email address</i>,
> and your <i>Message</i>.', 'Contact form has not been sent!',
> \TYPO3\Flow\Error\Message::SEVERITY_ERROR);
>
> The html-tags like <i> are displayed in raw, the text isn't italic..
Same issue as in the other post: For security reasons the output of your
flash messages is escaped.
Again, you could fix this in the rendering part, using a format.raw
ViewHelper:
<f:flashMessages as="flashMessages">
<ul class="messages">
<f:for each="{flashMessages}" as="flashMessage">
<li>{flashMessage -> f:format.raw()}</li>
</f:for>
</ul>
</f:flashMessages>
But you should consider *not* using HTML for your FlashMessages!
If you really want to use custom highlighting, you should use a (subset
of) markdown or similar with a custom ViewHelper that can turn it into
HTML again.
Reason:
Consider the following code in your controller:
$this->addFlashMessage('Hello "%s"', 'Welcome', Message::SEVERITY_ERROR,
array($this->request->getArgument('name')));
Making the app vulnerable to XSS attacks.
Of course you could (and should anyways) sanitize that "name" argument,
but it's easier to always escape output if you don't rely on the HTML
--
Bastian Waidelich
More information about the Flow
mailing list