[MGNLFORM-183] XSS vulnerability of form fields - CVE-2013-4759 Created: 15/Jul/13  Updated: 02/Sep/13  Resolved: 15/Jul/13

Status: Closed
Project: Magnolia Form Module
Component/s: None
Affects Version/s: 1.4.5, 2.0
Fix Version/s: 1.4.7, 2.0.2

Type: Bug Priority: Neutral
Reporter: Roman Kovařík Assignee: Roman Kovařík
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
causality
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled

 Description   

MGNLFORM-156 removed escaping from FTL templates because values should be already escaped by HTMLEscapingNodeWrapper.
But field values are set into model from unwrapped content and later requested for rendering. Therefore aren't escaped.



 Comments   
Comment by Roman Kovařík [ 16/Jul/13 ]

The workaround - escaping in FTL templates:

  • append ?html to model.value in form field FTL templates:
    /form/src/main/resources/form/components/formEdit.ftl
    /form/src/main/resources/form/components/formFile.ftl
    /form/src/main/resources/form/components/formGroupEditItem.ftl
    
Generated at Mon Feb 12 05:37:41 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.