Release Notes / Version 11.2304
Table Of Contents
While the output of the Freemarker function
${cm.getMessage()
} is escaped by Freemarker, the same functionallity as Freemarcer macro
<@cm.message />
was not.
For security reasons we changed it, so both are escaped now by default. This is important if you add unchecked user input values into the message strings, like for example in search result headers.
Upgrade Steps:
Only if you have translation messages including HTML in your properties files and using the macro, you need to add the parameter
escaping=false
, in all other cases you have nothing to do.
Example:
Before:
<@cm.message key="message_with_html"/>
After:
<@cm.message key="message_with_html" escaping=false/>
(CMS-21409)