BareUI: Security issue denied #133
Description
https://leafphp.dev/docs/frontend/bareui.html
Leaf automatically encodes all data in your app
Yeah sure. All data always. What does this even mean? In reality, Bareui does not really encode the variables:
echo \Leaf\BareUI::render('testpage', ['test'=>'<a href="test">XXX</a>');
+
<h3>Testpage<?= $test ?></h3>
=
<h3>Leaf Dashboard<a href="test">XXX</a></h3>
as we had 1990. No encoding at all. I am not sure why something is called a templating engine that can't be trusted for the bare (pun intended) minimum.
tl;dr: This paragraph is dangerous. A big warning because of missing encoding would be a quick fix.