Details
-
Bug
-
Resolution: Unresolved
-
Medium
-
3.10.0, 3.9.4, 4.0.0, 4.6.0beta1
-
None
Description
It's unclear at the moment in which values in the array returned by an extensions ezinfo.php info method html tags can appear. Also, there happens an automatic replacement of all occurrences of eZ P|publish and eZ S|systems to make links of them.
Current ezoe (http://svn.ez.no/svn/extensions/eztinymce/trunk/ezoe rev. 2963) for example will show a html tag in the ezinfo/about view output, visible to the user:
Includes the following library: * Name : eZ Core, tiny javascript library for ajax and stuff Version : 0.95 Copyright : Copyright (C) 2008 <a href="http://ez.no/">eZ Systems AS</a> License : Licensed under the MIT License
Certainly not what we want.
I suggest that we do not do any automatic replacements any more, and allow anchor tags with a value for the href attribute that uses the http protocol anywhere. All other tags should be escaped.