[ http://jira.magnolia-cms.com/browse/MAGNOLIA-2463?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Grégory Joseph updated MAGNOLIA-2463: ------------------------------------- Fix Version/s: 4.1.1 (was: 4.2) > Dissallow javascript injection from input field created in JS or by FM > templates - XSS > -------------------------------------------------------------------------------------- > > Key: MAGNOLIA-2463 > URL: http://jira.magnolia-cms.com/browse/MAGNOLIA-2463 > Project: Magnolia > Issue Type: Bug > Components: admininterface, gui > Affects Versions: 3.5.9, 3.6.3 > Reporter: Jan Haderka > Assignee: Jan Haderka > Fix For: 4.1.1 > > > At the moment it is possible to inject arbitrary javascript in all input > fields created by FM template containing > {code} > <input name="someField" value="${someString}"/> > {code} > or in JS function creating input field itself > {code} > '<input type="text" name="' + this.name + '" value="' + this.value + '" >' > {code} > The remedy: > - in the first case is to use {{value="${someString?html}"}}. Please note > that {{?html}} in FM doesn't escape single quotes therefore value have to be > enclosed in double quotes when using html escape function. > - and in second to use {{" value="' + this.value.replace('"','&quot;') + > '"}}. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.magnolia-cms.com/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira ---------------------------------------------------------------- For list details see http://www.magnolia-cms.com/home/community/mailing-lists.html To unsubscribe, E-mail to: <dev-list-unsubscr...@magnolia-cms.com> ----------------------------------------------------------------