[MAGNOLIA-2463] Dissallow javascript injection from input field created in JS or by FM templates - XSS Created: 03/Nov/08  Updated: 04/Aug/15  Resolved: 04/Aug/15

Status: Closed
Project: Magnolia
Component/s: admininterface, gui
Affects Version/s: 3.5.9, 3.6.3
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Jan Haderka Assignee: Unassigned
Resolution: Outdated Votes: 0
Labels: maintenance, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
is related to MAGNOLIA-2111 Cross Site Scripting Vulnerability (X... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

At the moment it is possible to inject arbitrary javascript in all input fields created by FM template containing

<input name="someField" value="${someString}"/>

or in JS function creating input field itself

'<input type="text" name="' + this.name + '" value="' + this.value + '" >'

The remedy:

  • in the first case is to use value="${someString?html}". Please note that ?html in FM doesn't escape single quotes therefore value have to be enclosed in double quotes when using html escape function.
  • and in second to use " value="' + this.value.replace('"','&quot;') + '".


 Comments   
Comment by Jan Haderka [ 03/Nov/08 ]

Actually, same goes for JSP templates when they just blindly use request parameters.
replace

<input type="text" name="name" value="${query}" />

with

<input type="text" name="name" value="${query.replaceAll("\"", "&quot;")}" />
Comment by Jan Haderka [ 03/Dec/13 ]

marked as maintenance as something that could be done relatively easily, by escaping everything in params on the spec, otoh it might screw some existing custom templates and should be introduced in major version change only.

Comment by Michael Mühlebach [ 04/Aug/15 ]

We're closing this issue as outdated as it was reported for 4.4.x or earlier versions which are no longer supported. Don't hesitate to reopen or create a new ticket in case this is still relevant and you'll experience it on 4.5.x or later versions.

Generated at Mon Feb 12 03:36:58 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.