MantisBT: master 3dada1bf

Author Committer Branch Timestamp Parent
dregad dregad master 2019-05-09 11:32:27 master f1191b68
Affected Issues  0025749: error_string() does not allow HTML tags inside of error messages

error_string() allow HTML tags in lang string

Prior to this, HTML escaping was applied after parameter substitution,
on the whole string.

Now, the language string for the error message is considered trusted
input and is therefore not escaped; we only process the parameters,
allowing <br> tags, before they are inserted into the placeholders.

Fixes 0025749

mod - core/error_api.php Diff File