[MAGNOLIA-5566] As a developer I don't need to take any extra measures to have my pages protected against XSS and XSRF Created: 19/Dec/13  Updated: 15/Mar/21  Resolved: 15/Mar/21

Status: Closed
Project: Magnolia
Component/s: core, security, templating
Affects Version/s: 5.2
Fix Version/s: None

Type: Story Priority: Neutral
Reporter: Jan Haderka Assignee: Unassigned
Resolution: Not an issue Votes: 0
Labels: major-only, quickwin
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)

 Description   

While all content is already protected at least when using STK where everything is wrapped in HTMLEncodingNodeWrapper there is no similar protection for any info that is coming via request parameters. Such params should be escaped as well.



 Comments   
Comment by Jan Haderka [ 02/Jul/18 ]

as of 5.6 ... AggregationState is already fixed in that regard, WebContext is still not protected tho.

Comment by Jan Haderka [ 15/Mar/21 ]

Done long time ago

Generated at Mon Feb 12 04:06:21 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.