#718: Generating the current route without additional arguments results in
unescaped single quotes and square brackets, potentially incorrectly
replaced argument separator
----------------------+-----------------------------------------------------
Reporter: david | Owner: david
Type: defect | Status: new
Priority: highest | Milestone: 0.11.1
Component: routing | Version: 0.11.0
Severity: critical | Resolution:
Keywords: | Has_patch: 0
----------------------+-----------------------------------------------------
Changes (by david):
* summary: Generating the current route without additional arguments
results in unescaped single quotes and square
brackets => Generating the current route
without additional arguments results in
unescaped single quotes and square brackets,
potentially incorrectly replaced argument
separator
Old description:
> {{{[}}} and {{{]}}} must be escaped in query strings. Also, the unescaped
> {{{'}}} opens the door to XSS/CSRF attacks on sites that use single
> quotes in their markup.
New description:
{{{[}}} and {{{]}}} must be escaped in query strings. Also, the unescaped
{{{'}}} opens the door to XSS/CSRF attacks on sites that use single quotes
in their markup. And {{{&}}} is replaced with the output argument
separator, which is not correct, since the input separator
({{{{arg_separator.input}}}) needs to be used as the subject.
--
Ticket URL: <http://trac.agavi.org/ticket/718#comment:1>
Agavi <http://www.agavi.org/>
An MVC Framework for PHP5
_______________________________________________
Agavi Tickets Mailing List
[email protected]
http://lists.agavi.org/mailman/listinfo/tickets
