From 6abcb0db75324ff39f6557a1bcfcf90bc1a03d69 Mon Sep 17 00:00:00 2001
From: Thomas Steur <thomas.steur@gmail.com>
Date: Tue, 12 Nov 2013 00:06:09 +0000
Subject: refs #4256 by default escape notification message

---
 core/Notification.php           | 9 +++++++--
 core/Plugin/ControllerAdmin.php | 2 +-
 core/Twig.php                   | 8 +++++++-
 3 files changed, 15 insertions(+), 4 deletions(-)

(limited to 'core')

diff --git a/core/Notification.php b/core/Notification.php
index 6fb733b527..a3e9ac51e1 100644
--- a/core/Notification.php
+++ b/core/Notification.php
@@ -108,17 +108,22 @@ class Notification
      */
     public $priority;
 
+    public $raw = false;
+
     /**
-     * @param  string $message   The notification message. Make sure to escape the message if needed.
+     * @param  string $message   The notification message.
+     * @param  boolean $raw      Set to true in case you want the raw message output. Make sure to escape the text in
+     *                           this case by yourself.
      * @throws \Exception        In case the message is empty.
      */
-    public function __construct($message)
+    public function __construct($message, $raw = false)
     {
         if (empty($message)) {
             throw new \Exception('No notification message given');
         }
 
         $this->message = $message;
+        $this->raw     = $raw;
     }
 
     public function hasNoClear()
diff --git a/core/Plugin/ControllerAdmin.php b/core/Plugin/ControllerAdmin.php
index 31f42c3eba..d7d47201cc 100644
--- a/core/Plugin/ControllerAdmin.php
+++ b/core/Plugin/ControllerAdmin.php
@@ -108,7 +108,7 @@ abstract class ControllerAdmin extends Controller
                                                                                  ));
 
             if (Piwik::isUserIsSuperUser()) {
-                $notification = new Notification($invalidPluginsWarning);
+                $notification = new Notification($invalidPluginsWarning, true);
                 $notification->context = Notification::CONTEXT_WARNING;
                 $notification->title   = Piwik::translate('General_Warning') . ':';
                 Notification\Manager::notify('ControllerAdmin_InvalidPluginsWarning', $notification);
diff --git a/core/Twig.php b/core/Twig.php
index 389a579a63..01282ef35d 100644
--- a/core/Twig.php
+++ b/core/Twig.php
@@ -172,7 +172,13 @@ class Twig
             }
 
             $template .= '>';
-            $template .= $message;
+
+            if (!empty($options['raw'])) {
+                $template .= $message;
+            } else {
+                $template .= twig_escape_filter($twigEnv, $message, 'html');
+            }
+
             $template .= '</div>';
 
             return $template;
-- 
cgit v1.2.3