[
http://jira.magnolia-cms.com/browse/MAGNOLIA-2463?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Grégory Joseph updated MAGNOLIA-2463:
-------------------------------------
Fix Version/s: 4.1.1
(was: 4.2)
> Dissallow javascript injection from input field created in JS or by FM
> templates - XSS
> --------------------------------------------------------------------------------------
>
> Key: MAGNOLIA-2463
> URL: http://jira.magnolia-cms.com/browse/MAGNOLIA-2463
> Project: Magnolia
> Issue Type: Bug
> Components: admininterface, gui
> Affects Versions: 3.5.9, 3.6.3
> Reporter: Jan Haderka
> Assignee: Jan Haderka
> Fix For: 4.1.1
>
>
> At the moment it is possible to inject arbitrary javascript in all input
> fields created by FM template containing
> {code}
> <input name="someField" value="${someString}"/>
> {code}
> or in JS function creating input field itself
> {code}
> '<input type="text" name="' + this.name + '" value="' + this.value + '" >'
> {code}
> The remedy:
> - in the first case is to use {{value="${someString?html}"}}. Please note
> that {{?html}} in FM doesn't escape single quotes therefore value have to be
> enclosed in double quotes when using html escape function.
> - and in second to use {{" value="' + this.value.replace('"','&quot;') +
> '"}}.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia-cms.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
For list details see
http://www.magnolia-cms.com/home/community/mailing-lists.html
To unsubscribe, E-mail to: <dev-list-unsubscr...@magnolia-cms.com>
----------------------------------------------------------------
