[
http://jira.magnolia-cms.com/browse/MAGNOLIA-2463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19136#action_19136
]
Hudson CI server commented on MAGNOLIA-2463:
--------------------------------------------
Integrated in !http://hudson.magnolia-cms.com/nocacheImages/16x16/blue.gif!
[magnolia_main-trunk
#195|http://hudson.magnolia-cms.com/job/magnolia_main-trunk/195/]
Escape input field values to prevent XSS attack.
> Dissallow javascript injection from input field created in JS or by FM
> templates - XSS
> --------------------------------------------------------------------------------------
>
> Key: MAGNOLIA-2463
> URL: http://jira.magnolia-cms.com/browse/MAGNOLIA-2463
> Project: Magnolia
> Issue Type: Bug
> Components: admininterface, gui
> Affects Versions: 3.5.9, 3.6.3
> Reporter: Jan Haderka
> Assignee: Jan Haderka
> Fix For: 3.6.x, 3.7
>
>
> At the moment it is possible to inject arbitrary javascript in all input
> fields created by FM template containing
> {code}
> <input name="someField" value="${someString}"/>
> {code}
> or in JS function creating input field itself
> {code}
> '<input type="text" name="' + this.name + '" value="' + this.value + '" >'
> {code}
> The remedy:
> - in the first case is to use {{value="${someString?html}"}}. Please note
> that {{?html}} in FM doesn't escape single quotes therefore value have to be
> enclosed in double quotes when using html escape function.
> - and in second to use {{" value="' + this.value.replace('"','&quot;') +
> '"}}.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia-cms.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
for list details see
http://www.magnolia-cms.com/home/community/mailing-lists.html
----------------------------------------------------------------
