|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (30 fixed, 12 open).
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (31 fixed, 11 open).
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -2039,6 +2039,21 @@
|
|
|
Slim-twig wrapper change could quietly flip it. Pin
|
|
|
`'autoescape' => 'html'`.
|
|
|
- **Severity: 1**
|
|
|
+- **Status:** Fixed. The Twig factory in `ui/src/App/Container.php`
|
|
|
+ now passes `'autoescape' => 'html'` explicitly. Twig 3 already
|
|
|
+ defaults to `'html'`, but pinning the option means a future major
|
|
|
+ bump (or a Slim-twig wrapper change) that flipped the default
|
|
|
+ would surface as a build-time error from `EscaperExtension`
|
|
|
+ (Twig refuses unknown strategy names) rather than as silently
|
|
|
+ un-escaped output. Regression tests in
|
|
|
+ `ui/tests/Integration/App/TwigConfigTest.php`:
|
|
|
+ `testAutoescapeStrategyIsExplicitlyHtml` calls
|
|
|
+ `EscaperExtension::getDefaultStrategy()` on the wired-up
|
|
|
+ environment and asserts the strategy is `'html'`;
|
|
|
+ `testRenderedTemplateAutoescapesUserInput` proves the pipeline
|
|
|
+ actually applies the strategy by rendering
|
|
|
+ `'<script>alert(1)</script>'` through `{{ value }}` and
|
|
|
+ asserting the output is HTML-escaped.
|
|
|
|
|
|
### F64 — `compose.scheduler.yml` references a missing crontab file
|
|
|
- **File:** `compose.scheduler.yml:10` (`./docker/scheduler.crontab`)
|
chiappa