Dissallow javascript injection from input field created in JS or by FM
templates - XSS
--------------------------------------------------------------------------------------
Key: MAGNOLIA-2463
URL: http://jira.magnolia-cms.com/browse/MAGNOLIA-2463
Project: Magnolia
Issue Type: Bug
Components: admininterface, gui
Affects Versions: 3.6.3, 3.5.9
Reporter: Jan Haderka
Assignee: Jan Haderka
Fix For: 3.6.x, 3.7
At the moment it is possible to inject arbitrary javascript in all input fields
created by FM template containing
{code}
<input name="someField" value="${someString}"/>
{code}
or in JS function creating input field itself
{code}
'<input type="text" name="' + this.name + '" value="' + this.value + '" >'
{code}
The remedy:
- in the first case is to use {{value="${someString?html}"}}. Please note that
{{?html}} in FM doesn't escape single quotes therefore value have to be
enclosed in double quotes when using html escape function.
- and in second to use {{" value="' + this.value.replace('"','&quot;') +
'"}}.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia-cms.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
for list details see
http://www.magnolia-cms.com/home/community/mailing-lists.html
----------------------------------------------------------------
