Page MenuHomePhabricator

Raw html should be escaped before output in Newsletter pages
Closed, ResolvedPublic

Description

There's several places where we output directly from the db. It should be escaped before being output

Event Timeline

Glaisher raised the priority of this task from to High.
Glaisher updated the task description. (Show Details)
Glaisher subscribed.

Change 248361 had a related patch set uploaded (by Glaisher):
Do escaping before output on Newsletter special pages

https://gerrit.wikimedia.org/r/248361

Change 248361 merged by jenkins-bot:
Do escaping before output on Newsletter special pages

https://gerrit.wikimedia.org/r/248361

Change 250459 had a related patch set uploaded (by Glaisher):
Escape raw HTML from SpecialNewsletter

https://gerrit.wikimedia.org/r/250459

Change 250459 merged by jenkins-bot:
Escape raw HTML from SpecialNewsletter

https://gerrit.wikimedia.org/r/250459

@Glaisher, this one can be marked 'Resolved'? :)

Not yet. Someone needs to confirm that they don't see raw HTML anywhere.

Just noticed this so adding here so that I don't forget: Escape HTML in the notification too.

Change 255076 had a related patch set uploaded (by Glaisher):
Cleanup notification sent for new issues

https://gerrit.wikimedia.org/r/255076

Change 255076 merged by jenkins-bot:
Cleanup notification sent for new issues

https://gerrit.wikimedia.org/r/255076

Glaisher claimed this task.