Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-2463

Dissallow javascript injection from input field created in JS or by FM templates - XSS

    XMLWordPrintable

Details

    Description

      At the moment it is possible to inject arbitrary javascript in all input fields created by FM template containing

      <input name="someField" value="${someString}"/>
      

      or in JS function creating input field itself

      '<input type="text" name="' + this.name + '" value="' + this.value + '" >'
      

      The remedy:

      • in the first case is to use value="${someString?html}". Please note that ?html in FM doesn't escape single quotes therefore value have to be enclosed in double quotes when using html escape function.
      • and in second to use " value="' + this.value.replace('"','&quot;') + '".

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                Unassigned Unassigned
                had Jan Haderka
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Bug DoR
                    Task DoD