As reported here there was a potential XSS vulnerability in one of my plugins. I was under the impression that the qa_lang_html functions escaped the output for display, given the name similarity to qa_html. However it appears this is not always the case, for example this:
...will output a script tag directly. Is this the intended behaviour or a bug? It feels wrong to me, given there is already qa_lang_sub for raw output - qa_lang_html_sub should be escaping the data.
Yes, qa_lang_html_sub(...) does not HTML escape the second parameter, by design. (That's why it's not called qa_lang_sub_html!) The reason is that Q2A sometimes substitutes some HTML code into a phrase, that escaping would ruin. You can of course call qa_html(qa_lang_sub(...)) if you wish to.
Welcome to the Q&A site for Question2Answer.
If you have a question about Q2A, please ask in English.
To report a bug, please create a new issue on Github or ask a question here with the bug tag.
If you just want to try Q2A, please use the demo site.