From 02075f32201fbc0948a7802f449ab5213fded327 Mon Sep 17 00:00:00 2001 From: Guy Sartorelli Date: Tue, 6 Sep 2022 11:51:16 +1200 Subject: [PATCH 1/2] DOC Warn about possible XSS in custom shortcodes --- en/02_Developer_Guides/05_Extending/04_Shortcodes.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/en/02_Developer_Guides/05_Extending/04_Shortcodes.md b/en/02_Developer_Guides/05_Extending/04_Shortcodes.md index ccf5ae08f..2d83dbdd3 100644 --- a/en/02_Developer_Guides/05_Extending/04_Shortcodes.md +++ b/en/02_Developer_Guides/05_Extending/04_Shortcodes.md @@ -70,6 +70,16 @@ class Page extends SiteTree } ``` +[warning] +Note that the `$arguments` parameter potentially contains any arbitrary key/value pairs the user has chosen to include. +It is strongly recommended that you don't directly convert this array into a list of attributes for your final HTML markup +as that could lead to XSS vulnerabilities in your project. + +If you want to use the `$arguments` parameter as a list of attributes for your final HTML markup, it is strongly recommended that you +pass the array through a filter of allowed arguments using [array_filter()](https://www.php.net/manual/en/function.array-filter.php) +or similar. +[/warning] + These parameters are passed to the `MyShortCodeMethod` callback: - Any parameters attached to the shortcode as an associative array (keys are lower-case). From 84901b0dc8d61a88ac9ba11c7f6b099fa1ad4ff8 Mon Sep 17 00:00:00 2001 From: Guy Sartorelli Date: Mon, 21 Nov 2022 16:38:49 +1300 Subject: [PATCH 2/2] MNT Update branch which triggers deploying docs site --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9ee816e35..9ab475ba3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -3,7 +3,7 @@ on: push: branches: - '3' - - '4.11' + - '4.12' jobs: build: name: build-docs