[MGNLSTK-1101] Wrap nodes with HTMLEscapingNodeWrapper before rendering - 2.0.x Created: 21/Feb/13  Updated: 04/Mar/13  Resolved: 28/Feb/13

Status: Closed
Project: Magnolia Standard Templating Kit (closed)
Component/s: None
Affects Version/s: None
Fix Version/s: 2.0.9

Type: Improvement Priority: Major
Reporter: Roman Kovařík Assignee: Roman Kovařík
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Cloners
is cloned by MGNLSTK-1103 Wrap nodes with HTMLEscapingNodeWrapp... Closed
dependency
is depended upon by MGNLSTK-1095 Escape values for rendering, don't es... Closed
Template:
Acceptance criteria:
Empty
Date of First Response:

 Description   

MAGNOLIA-4011 introduces unwrapping nodes before rendering because of problem with multiple escaping.
Unfortunately This change causes XSS vulnerability of most FTL templates.

  1. Don't unwrap nodes from HTMLEscapingNodeWrapper before rendering.
  2. Wrap nodes with HTMLEscapingNodeWrapper if they are not wrapped already.


 Comments   
Comment by Roman Kovařík [ 27/Feb/13 ]

Port to master is registered under MGNLSTK-1103.

Comment by Jan Haderka [ 27/Feb/13 ]

Can you update title and description to reflect what was really done? I think most changes were rolled back after re-enabling wrapping in the renderer ... and pls link that issue.

Comment by Roman Kovařík [ 28/Feb/13 ]

There are also related commits from other tickets in the GIT tab of this issue.
Commits only for this ticket:
http://git.magnolia-cms.com/gitweb/?p=modules/standard-templating-kit.git;a=commitdiff;h=7aad49af3fc0300bd39f613061b8a5468c226264
http://git.magnolia-cms.com/gitweb/?p=modules/standard-templating-kit.git;a=commitdiff;h=b4020b9bad7b3ee8f0d9841c02c21344b451e2b6

Generated at Mon Feb 12 07:33:24 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.