Don't escape label contents

Trying to protect against XSS in the case that someone is using user input for label contents is not worth the trade-off of disallowing users of the library to customize the HTML contents of their labels. If you are using user input in your labels, I recommend escaping that data manually before including it in your label.
adamwathan · Jul 7, 2017 · d44534b · d44534b
1 parent 5000dcf
commit d44534b
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 10 deletions.
diff --git a/src/AdamWathan/Form/Elements/Label.php b/src/AdamWathan/Form/Elements/Label.php
@@ -20,13 +20,13 @@ public function render()
         $tags = [sprintf('<label%s>', $this->renderAttributes())];
 
         if ($this->labelBefore) {
-            $tags[] = $this->escape($this->label);
+            $tags[] = $this->label;
         }
 
         $tags[] = $this->renderElement();
 
         if (! $this->labelBefore) {
-            $tags[] = $this->escape($this->label);
+            $tags[] = $this->label;
         }
 
         $tags[] = '</label>';

diff --git a/tests/LabelTest.php b/tests/LabelTest.php
@@ -75,12 +75,4 @@ public function testCanRetrieveElement()
         $result = $label->after($element)->getControl();
         $this->assertEquals($element, $result);
     }
-
-    public function testAgainstXssAttacksInLabel()
-    {
-        $label = new Label('<script>alert("xss")</script>');
-        $expected = '<label>&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;</label>';
-        $result = $label->render();
-        $this->assertEquals($expected, $result);
-    }
 }