[MAGNOLIA-2463] Dissallow javascript injection from input field created in JS or by FM templates - XSS Created: 03/Nov/08 Updated: 04/Aug/15 Resolved: 04/Aug/15 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | admininterface, gui |
| Affects Version/s: | 3.5.9, 3.6.3 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major |
| Reporter: | Jan Haderka | Assignee: | Unassigned |
| Resolution: | Outdated | Votes: | 0 |
| Labels: | maintenance, security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Template: |
|
||||||||
| Acceptance criteria: |
Empty
|
||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||||||
| Date of First Response: | |||||||||
| Description |
|
At the moment it is possible to inject arbitrary javascript in all input fields created by FM template containing <input name="someField" value="${someString}"/> or in JS function creating input field itself '<input type="text" name="' + this.name + '" value="' + this.value + '" >'
The remedy:
|
| Comments |
| Comment by Jan Haderka [ 03/Nov/08 ] |
|
Actually, same goes for JSP templates when they just blindly use request parameters. <input type="text" name="name" value="${query}" /> with <input type="text" name="name" value="${query.replaceAll("\"", """)}" /> |
| Comment by Jan Haderka [ 03/Dec/13 ] |
|
marked as maintenance as something that could be done relatively easily, by escaping everything in params on the spec, otoh it might screw some existing custom templates and should be introduced in major version change only. |
| Comment by Michael Mühlebach [ 04/Aug/15 ] |
|
We're closing this issue as outdated as it was reported for 4.4.x or earlier versions which are no longer supported. Don't hesitate to reopen or create a new ticket in case this is still relevant and you'll experience it on 4.5.x or later versions. |