-
Bug
-
Resolution: Fixed
-
Critical
-
None
-
None
-
None
MGNLSTK-1105 removed escaping from FTL templates. The values are already escaped by HTMLEscapingNodeWrapper (MGNLSTK-1103).
Because the nodes for assets are taken directly from session, they aren't wrapped and cause XSS vulnerability of image properties.
Steps to reproduce:
- Use some XSS for Subject and Description of asset which appears in http://localhost:8080/magnoliaAuthor/demo-project/multimedia/image-gallery.html.
- Open the image gallery page.
-> XSS exploit.
Acceptance criteria
- is depended upon by
-
MGNLSTK-1105 Escape values for rendering, don't escape already escaped values - port to master
- Closed
- relates to
-
MGNLDAM-416 Ensure that the DamTemplatingFunctions prevent XSS vulnerability (of Assets)
- Closed