[JSMODELS-8] JavascriptObjectFactory should expose HTMLEscapingAggregationState to models Created: 01/Jun/17  Updated: 28/Jun/17  Resolved: 28/Jun/17

Status: Closed
Project: Magnolia Javascript Models
Component/s: None
Affects Version/s: None
Fix Version/s: 1.0

Type: Bug Priority: Neutral
Reporter: Federico Grilli Assignee: Federico Grilli
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
dependency
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Sprint: Basel 101, Basel 102
Story Points: 3

 Description   

See relate issue MAGNOLIA-6448. Basically templates may get a vulnerable aggregation state object.
To reproduce:

  • In Resources App create /travel-demo/models/components/textImage.js
    • Add the following snippet to the above file
var MyModel = function() {

    this.currentURI= function() {
        return "current uri is " + state.currentURI;
    };

};

new MyModel();
  • Edit /travel-demo/templates/components/textImage.yaml and add the following snippet
    modelPath: /travel-demo/models/components/textImage.js
    class: info.magnolia.module.jsmodels.rendering.JavascriptTemplateDefinition
    
  • Edit /travel-demo/templates/components/textImage.ftl and add the following snippet
    TEST ${model.currentURI()}
    
  • open page with malicious URI http://localhost:8080/travel/about~cf503%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3E7af3b~
  • problem shows up
  • enable /server/rendering/engine@escapeHtml=true and open again the above page


 Comments   
Comment by Maxime Michel [ 28/Jun/17 ]

Reopened because of injection issues with the module, that lead to a clean Magnolia setup not starting at all.

Generated at Mon Feb 12 05:58:44 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.