Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Neutral
Fix Version/s: 1.0
Affects Version/s: None
Labels:
None

Template:
Acceptance criteria:

Empty

show more show less
Task DoD:

show more show less
Bug DoR:

show more show less
Sprint:
Basel 101, Basel 102
Story Points:
3

See relate issue MAGNOLIA-6448. Basically templates may get a vulnerable aggregation state object.
To reproduce:

In Resources App create /travel-demo/models/components/textImage.js
- Add the following snippet to the above file

var MyModel = function() {

    this.currentURI= function() {
        return "current uri is " + state.currentURI;
    };

};

new MyModel();

Edit /travel-demo/templates/components/textImage.yaml and add the following snippet

modelPath: /travel-demo/models/components/textImage.js
class: info.magnolia.module.jsmodels.rendering.JavascriptTemplateDefinition

Edit /travel-demo/templates/components/textImage.ftl and add the following snippet
```
TEST ${model.currentURI()}
```
open page with malicious URI http://localhost:8080/travel/about~cf503%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3E7af3b~
problem shows up
enable /server/rendering/engine@escapeHtml=true and open again the above page

Acceptance criteria

Assignee:: Federico Grilli

Reporter:: Federico Grilli

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 01/Jun/17 7:18 PM

Updated:: 28/Jun/17 11:53 AM

Resolved:: 28/Jun/17 11:44 AM

Date of First Response:: 28/Jun/17 9:40 AM

Bug DoR

Task DoD