The insecure examples code does not include delimiters for strings

Created on 26 April 2025, 14 days ago

The insecure examples shown on FormattableMarkup::placeholderFormat() does not include string delimiters.

$this->placeholderFormat('<@foo>text</@foo>, ['@foo' => $some_variable]);
$this->placeholderFormat('<a @foo>link text</a>, ['@foo' => $some_variable]);
$this->placeholderFormat('<a href="@foo">link text</a>, ['@foo' => $some_variable]);
$this->placeholderFormat('<a title="@foo">link text</a>, ['@foo' => $some_variable]);

The correct code is the following one.

$this->placeholderFormat('<@foo>text</@foo>', ['@foo' => $some_variable]);
$this->placeholderFormat('<a @foo>link text</a>', ['@foo' => $some_variable]);
$this->placeholderFormat('<a href="@foo">link text</a>', ['@foo' => $some_variable]);
$this->placeholderFormat('<a title="@foo">link text</a>', ['@foo' => $some_variable]);

🐛 Bug report

Status

Active

Version

11.0 🔥

Component

documentation

Created by

🇮🇹Italy apaderno Brescia, 🇮🇹

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @apaderno
Comment 14 days ago →
🇮🇹Italy apaderno Brescia, 🇮🇹
I would rather wait 📌 Correct the comment grammar Active is fixed, before creating a merge request for this issue.
Comment 14 days ago →
🇮🇹Italy apaderno Brescia, 🇮🇹
@avpaderno opened merge request.
Comment 4 days ago →
🇮🇹Italy apaderno Brescia, 🇮🇹
Comment 4 days ago →
🇺🇸United States smustgrave
Can we use the full issue summary template please.
Comment 4 days ago →
🇮🇹Italy apaderno Brescia, 🇮🇹
Comment about 13 hours ago →
🇮🇹Italy apaderno Brescia, 🇮🇹

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024