Details
-
Bug
-
Resolution: Incomplete
-
Minor
-
None
-
Professional Edition
-
None
Description
Revision 6273 added escape_html() to login_message, removing our ability to use HTML in the login warning.
Please revert this change:
@@-83,7 +83,7@@
if (isset($config['login_message']))
{ - echo('<div class=row><div class="col-md-6 col-md-offset-3"><div style="margin-top: 10px;text-align: center; font-weight: bold; color: #cc0000;">'.$config['login_message'].'</div></div></div>'); + echo('<div class=row><div class="col-md-6 col-md-offset-3"><div style="margin-top: 10px;text-align: center; font-weight: bold; color: #cc0000;">'.escape_html($config['login_message']).'</div></div></div>'); } ?>
<script type="text/javascript">
Escaping user input is appropriate. Escaping content in the name of security when ONLY the administrator could have defined it in the first place is not.
If you truly don't trust your own users to put appropriate values in the config file (which bearing in mind they can override as I have done just by editing the PHP file), then why not add an additional variable login_message_html.
David