Luke Towers
Luke Towers
Can we have some unit tests added for this? If they could include attempts at abusing this new logic to somehow perform some sort of malicious action (if you can...
@bennothommo this is a horrible idea, but we could prevent it from happening by pre-replacing the replace target with something else and then changing it back afterwards. So: - replace...
@bennothommo what would that look like? Cause it sounds pretty horrible 😂
Also is there any flexibility to just changing the markdown parser to not cause us this issue in the first place?
Argh, how annoying. Let's give the twig escaping a try then I guess? Would that actually stop the theoretical attacks I was proposing?
> @LukeTowers just circling back to this - I'm wondering if we even need Twig escaping? The particular issue here is with content blocks that are Markdown-formatted. Content blocks aren't...
@bennothommo what's the status on this?
@matteotrubini can you add some test cases for this?
@matteotrubini ideally the options logic that's present everywhere in Winter could be centralized to a helper as much as possible. Should be good to proceed with the makeTwigFilters
@matteotrubini I always squash when merging, no need to worry about squashing on the PR itself.