[MGNLDEMO-169] Java script can be injected in the page properties title field Created: 08/Jun/16  Updated: 06/Dec/16  Resolved: 28/Nov/16

Status: Closed
Project: Magnolia Demo Projects
Component/s: magnolia-travels
Affects Version/s: 0.12
Fix Version/s: 1.0

Type: Bug Priority: Major
Reporter: Teresa Miyar Assignee: Hieu Nguyen Duc
Resolution: Fixed Votes: 0
Labels: support
Remaining Estimate: 0d
Time Spent: 2d 5h
Original Estimate: 4d

Issue Links:
Relates
dependency
depends upon MAGNOLIA-6884 Add a method to HTML-encode normal text Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Sprint: Saigon 72
Story Points: 5

 Description   

We should implement the best practices to help our customers implement their sites, the way to render the text should be escaping it.



 Comments   
Comment by Hieu Nguyen Duc [ 23/Nov/16 ]

1) Steps to reproduce:

+ Open Magnolia 5.4's travel-demo
+ Open About page
+ Edit page properties
+ Enter <script>alert("Hello")</script> into Page title
=> Alert dialog shows up

2) Root cause:

Page name is not escaped in travel-demo-1.0-SNAPSHOT
File: navigation.ftl

<li class="${page.cssClass!}"><a href="${page.link!}">${cmsfn.encode(page.name)!}</a></li>

trave-demo-1.1.1-SNAPSHOT (Magnolia 5.5) doesn't have this problem because it prints navigation in diffrent way having the help of NavigationTemplatingFunctions

3) Solution:

Escape page names

Generated at Mon Feb 12 05:17:00 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.