From ddb5db354ac1b55ce99c9d0e977a2a63099f4c21 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Fri, 23 Jul 2010 00:46:02 +0200 Subject: Bug 398701: Replace |FILTER url_quote| by |FILTER uri| r/a=mkanat --- docs/en/xml/customization.xml | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) (limited to 'docs') diff --git a/docs/en/xml/customization.xml b/docs/en/xml/customization.xml index f397cff53..9b62b1d0b 100644 --- a/docs/en/xml/customization.xml +++ b/docs/en/xml/customization.xml @@ -207,20 +207,11 @@ This means that if the data can possibly contain special HTML characters such as <, and the data was not intended to be HTML, they need to be converted to entity form, i.e. &lt;. You use the 'html' filter in the - Template Toolkit to do this. If you forget, you may open up - your installation to cross-site scripting attacks. + Template Toolkit to do this (or the 'uri' filter to encode special + characters in URLs). If you forget, you may open up your installation + to cross-site scripting attacks. - - Also note that Bugzilla adds a few filters of its own, that are not - in standard Template Toolkit. In particular, the 'url_quote' filter - can convert characters that are illegal or have special meaning in URLs, - such as &, to the encoded form, i.e. %26. This actually encodes most - characters (but not the common ones such as letters and numbers and so - on), including the HTML-special characters, so there's never a need to - HTML filter afterwards. - - Editing templates is a good way of doing a poor man's custom fields. -- cgit v1.2.3-24-g4f1b