[MAGNOLIA-2111] Cross Site Scripting Vulnerability (XSS): provide a filter which checks all provided parameters Created: 14/Apr/08  Updated: 04/Nov/15  Resolved: 04/Nov/15

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: 3.5.4
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: Philipp Bärfuss Assignee: Unassigned
Resolution: Won't Do Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
is related to MAGNOLIA-590 Cross Site Scripting Vulnerability (X... Closed
is related to MGNLSD-175 Cross Site Scripting Vulnerability (X... Closed
is related to MAGNOLIA-2463 Dissallow javascript injection from i... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:

 Description   

Many templater forget to prevent XSS attacks. So we might want to add a filter which checks for the parameters to guarantee that they don't contain any script



 Comments   
Comment by Jan Haderka [ 03/Nov/08 ]

Not sure how feasible this is. There are cases where you want to pass javascript around. Also since sometimes values are passed around and rendered by various different techniques (JS, FM or JSP templates) and are passed around multiple times they end up decoded/encoded between the calls so no check would catch it all.

Comment by Michael Mühlebach [ 04/Nov/15 ]

Given the thousands of other issues we have open that are more highly requested, we won't be able to address this issue in the foreseeable future. Instead we will focus on issues with a higher impact, and more votes.
Thanks for taking the time to raise this issue. As you are no doubt aware this issue has been on our backlog for some time now with very little movement.
I'm going to close this to set expectations so the issue doesn't stay open for years with few updates. If the issue is still relevant please feel free to reopen it or create a new issue.

Generated at Mon Feb 12 03:33:31 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.