-
Bug
-
Resolution: Fixed
-
Neutral
-
None
-
None
-
-
Empty show more show less
-
Basel 101, Basel 102
-
3
See relate issue MAGNOLIA-6448. Basically templates may get a vulnerable aggregation state object.
To reproduce:
- In Resources App create /travel-demo/models/components/textImage.js
- Add the following snippet to the above file
var MyModel = function() { this.currentURI= function() { return "current uri is " + state.currentURI; }; }; new MyModel();
- Edit /travel-demo/templates/components/textImage.yaml and add the following snippet
modelPath: /travel-demo/models/components/textImage.js class: info.magnolia.module.jsmodels.rendering.JavascriptTemplateDefinition
- Edit /travel-demo/templates/components/textImage.ftl and add the following snippet
TEST ${model.currentURI()}
- open page with malicious URI http://localhost:8080/travel/about~cf503%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3E7af3b~
- problem shows up
- enable /server/rendering/engine@escapeHtml=true and open again the above page
Acceptance criteria