-
Bug
-
Resolution: Won't Fix
-
Blocker
-
3.1.0-dev
-
None
The INCLUDEJS instruction does not perform HTML escaping of the generated URL, given the input:
<!-- INCLUDEJS parent_and_child.js?test=1&assets_version=0 -->
|
The output is:
<script type="text/javascript" src=".../templates/parent_and_child.js?test=1&assets_version=0&assets_version=1"></script>
|
Note the unescaped ampersands. The URL should be passed through Twigs escape filter.