Skip to content

Commit

Permalink
sandbox: disable escaping when rendering as text/plain, bcosca/fatfre…
Browse files Browse the repository at this point in the history 
…e#654
  • Loading branch information
@ikkez
ikkez committed May 26, 2020
1 parent 2dc899d commit f7b934f
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion base.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2888,7 +2888,8 @@ protected function sandbox(array $hive=NULL,$mime=NULL) {
!preg_grep ('/^Content-Type:/',headers_list()))
header('Content-Type: '.$mime.'; '.
'charset='.$fw->ENCODING);
if ($fw->ESCAPE)
if ($fw->ESCAPE && (!$mime ||
preg_match('/^(text\/html|(application|text)\/(.+\+)?xml)$/i',$mime)))
$hive=$this->esc($hive);
if (isset($hive['ALIASES']))
$hive['ALIASES']=$fw->build($hive['ALIASES']);
Expand Down

1 comment on commit f7b934f

@Rayne
Copy link
Member

@Rayne Rayne commented on f7b934f May 26, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At first I thought this would break old apps that are using null (although relying on text/html escaping) as $mime argument. 👍

Please sign in to comment.