Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Critical
Fix Version/s: 1.0
Affects Version/s: None
Component/s: None
Labels:
None

Template:
Acceptance criteria:

Empty

show more show less
Task DoD:

show more show less
Bug DoR:

show more show less

~~MGNLSTK-1105~~ removed escaping from FTL templates. The values are already escaped by HTMLEscapingNodeWrapper (~~MGNLSTK-1103~~).
Because the nodes for assets are taken directly from session, they aren't wrapped and cause XSS vulnerability of image properties.

Steps to reproduce:

Use some XSS for Subject and Description of asset which appears in http://localhost:8080/magnoliaAuthor/demo-project/multimedia/image-gallery.html.
Open the image gallery page.
-> XSS exploit.

Acceptance criteria

is depended upon by

MGNLSTK-1105 Escape values for rendering, don't escape already escaped values - port to master

Closed

relates to

MGNLDAM-416 Ensure that the DamTemplatingFunctions prevent XSS vulnerability (of Assets)

Closed

Assignee:: Roman Kovařík

Reporter:: Roman Kovařík

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 13/Mar/13 10:08 AM

Updated:: 05/Mar/14 8:17 AM

Resolved:: 13/Mar/13 3:44 PM

Bug DoR

Task DoD

Details

Description

Checklists

Attachments

Issue Links

Activity

People

Dates

Checklists