[MAGNOLIA-5566] As a developer I don't need to take any extra measures to have my pages protected against XSS and XSRF Created: 19/Dec/13 Updated: 15/Mar/21 Resolved: 15/Mar/21 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | core, security, templating |
| Affects Version/s: | 5.2 |
| Fix Version/s: | None |
| Type: | Story | Priority: | Neutral |
| Reporter: | Jan Haderka | Assignee: | Unassigned |
| Resolution: | Not an issue | Votes: | 0 |
| Labels: | major-only, quickwin | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Template: |
|
| Acceptance criteria: |
Empty
|
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
| Description |
|
While all content is already protected at least when using STK where everything is wrapped in HTMLEncodingNodeWrapper there is no similar protection for any info that is coming via request parameters. Such params should be escaped as well. |
| Comments |
| Comment by Jan Haderka [ 02/Jul/18 ] |
|
as of 5.6 ... AggregationState is already fixed in that regard, WebContext is still not protected tho. |
| Comment by Jan Haderka [ 15/Mar/21 ] |
|
Done long time ago |