View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0004101 | Composr | [All Projects] General / Uncategorised | public | 2020-02-06 21:06 | 2020-02-07 16:54 |
| Reporter | Chris Graham | Assigned To | Chris Graham | ||
| Severity | Security-hole | ||||
| Status | resolved | Resolution | fixed | ||
| Product Version | 10.0.30 | ||||
| Fixed in Version | |||||
| Summary | 0004101: Incorrect escaping of field labels (esp usergroup names) | ||||
| Description | The STRIP_HTML symbol is used incorrectly to remove possible HTML from field labels prior to those labels being used to display automatically-assembled previews, for cleaner looking previews. However, the stripping process actually exposes HTML that was not previously exposed, as STRIP_HTML unescapes escaped HTML entities. Fix the issue and document the behaviour of the symbol better. | ||||
| Tags | No tags attached. | ||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
| duplicate of | 0004095 | closed | Chris Graham | Composr CMS 10.0.30 - (Authenticated) Cross-Site Scripting |
|
|
Fixed in git commit c09efccbb (https://gitlab.com/composr-foundation/composr/commit/c09efccbb - link will become active once code pushed to GitLab) |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2020-02-06 21:07 | Chris Graham | Relationship added | duplicate of 0004095 |
| 2020-02-07 16:54 | Chris Graham | Project | Composr non-bundled addons => Composr |
| 2023-02-26 18:29 | Chris Graham | Category | General => General / Uncategorised |
