-
Bug
-
Resolution: Outdated
-
Major
-
None
-
3.5.9, 3.6.3
At the moment it is possible to inject arbitrary javascript in all input fields created by FM template containing
<input name="someField" value="${someString}"/>
or in JS function creating input field itself
'<input type="text" name="' + this.name + '" value="' + this.value + '" >'
The remedy:
- in the first case is to use value="${someString?html}". Please note that ?html in FM doesn't escape single quotes therefore value have to be enclosed in double quotes when using html escape function.
- and in second to use " value="' + this.value.replace('"','"') + '".
Acceptance criteria
- is related to
-
MAGNOLIA-2111 Cross Site Scripting Vulnerability (XSS): provide a filter which checks all provided parameters
- Closed