[Owncloud] Changes to the XSS sanitiziation - Important notice to all developers

[Lukas Reschke]

Hi all,

Starting with ownCloud 5.0 we removed the auto-sanitizing from the
OC_Template method assign(). We had multiple sensible reasons for
that, one of it was that auto-escaping is just not 100% reliable and
caused more troubles than it gaves us back on benefits.

That said, the needed changes to your app are really marginally - and
if you host your app on our app repo on Github they have been already
done for you. (Please check if your app still works properly!)

ownCloud 5.0 introduced 2 new functions for that:
- if you want to get unescaped HTML, use print_unescaped()
- if you want to get sanitized strings, use p()

tl;dr:
- Never use echo(), print() or <=? in your templates
- Use p() or print_unescaped() instead

For more in-depth informations and examples I highly encourage you to
take a look at our documentation:
- http://doc.owncloud.org/server/5.0/developer_manual/app/templates.html#owncloud-templates
- http://doc.owncloud.org/server/5.0/developer_manual/classes/core/templates.html#OC_Template

Thanks,
Lukas

--
ownCloud
Your Cloud, Your Data, Your Way!