[MAGNOLIA-3205] Full name column in user tree renders full html Created: 20/May/10  Updated: 13/Mar/12  Resolved: 28/Jun/10

Status: Closed
Project: Magnolia
Component/s: security
Affects Version/s: 4.3.1
Fix Version/s: 4.3.3, 4.4

Type: Bug Priority: Critical
Reporter: Jan Haderka Assignee: Ondrej Chytil
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
causality
is causing MAGNOLIA-3308 HTML rendered / not escaped when ente... Closed
dependency
relation
is related to MAGNOLIA-1897 HTML Tags in Page Titles Should Be Es... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

If user enters html in his "Full name" while changing preferences, the html is rendered in the tree for admin while browsing the users allowing malicious user to mount an attack on admin session.



 Comments   
Comment by Daniel Lipp [ 13/Mar/12 ]

At the time this issue was resolved trunk was for 4.4 - not yet 4.5.

Generated at Mon Feb 12 03:44:13 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.