Uploaded image for project: 'Magnolia Form Module'
  1. Magnolia Form Module
  2. MGNLFORM-183

XSS vulnerability of form fields - CVE-2013-4759

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Neutral
    • 1.4.7, 2.0.2
    • 1.4.5, 2.0
    • None
    • None

    Description

      MGNLFORM-156 removed escaping from FTL templates because values should be already escaped by HTMLEscapingNodeWrapper.
      But field values are set into model from unwrapped content and later requested for rendering. Therefore aren't escaped.

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              rkovarik Roman Kovařík
              rkovarik Roman Kovařík
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Checklists

                  Bug DoR
                  Task DoD