[magnolia-dev] [JIRA] (MGNLDAM-171) XSS vulnerability of Assets

[on behalf of Roman Kovařík]

Roman Kovařík created MGNLDAM-171 XSS vulnerability of Assets Issue Type: Bug Assignee: Roman Kovařík Created: 13/Mar/13 10:08 AM Description: MGNLSTK-1105 removed escaping from FTL templates. The values are already escaped by HTMLEscapingNodeWrapper (MGNLSTK-1103). Because the nodes for assets are taken directly from session, they aren't wrapped and cause XSS vulnerability of image properties. Steps to reproduce: Use some XSS for Subject and Description of asset which appears in http://localhost:8080/magnoliaAuthor/demo-project/multimedia/image-gallery.html. Open the image gallery page. -> XSS exploit. Fix Versions: 1.0 Project: Magnolia DAM Module Priority: Critical Reporter: Roman Kovařík

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

---

----------------------------------------------------------------
For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: <dev-list-unsubscr...@magnolia-cms.com>
----------------------------------------------------------------