[MAGNOLIA-2111] Cross Site Scripting Vulnerability (XSS): provide a filter which checks all provided parameters Created: 14/Apr/08 Updated: 04/Nov/15 Resolved: 04/Nov/15 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | None |
| Affects Version/s: | 3.5.4 |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major |
| Reporter: | Philipp Bärfuss | Assignee: | Unassigned |
| Resolution: | Won't Do | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Template: |
|
||||||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||||||
| Date of First Response: | |||||||||||||||||
| Description |
|
Many templater forget to prevent XSS attacks. So we might want to add a filter which checks for the parameters to guarantee that they don't contain any script |
| Comments |
| Comment by Jan Haderka [ 03/Nov/08 ] |
|
Not sure how feasible this is. There are cases where you want to pass javascript around. Also since sometimes values are passed around and rendered by various different techniques (JS, FM or JSP templates) and are passed around multiple times they end up decoded/encoded between the calls so no check would catch it all. |
| Comment by Michael Mühlebach [ 04/Nov/15 ] |
|
Given the thousands of other issues we have open that are more highly requested, we won't be able to address this issue in the foreseeable future. Instead we will focus on issues with a higher impact, and more votes. |