To participate you must create an account on apostrophenow.org. If you have already done so, click Login.

Ticket #222 (closed defect: fixed)

Opened 23 months ago

Last modified 6 months ago

Proper escaping needed for button slots

Reported by: boutell Owned by: tboutell
Priority: minor Milestone: 1.5.2
Component: apostrophePlugin: Media Version: 1.5
Keywords: slots, aButtonSlot Cc: team@…
Symfony version: 1.4

Description

Button slot titles need to be escaped properly on output. OR we need to allow rich text in them and present a rich text editor for them. Time to decide which and implement one of the two. Left to my own devices I have a strong preference for plaintext because our UI never suggested they could contain something else before this point.

Change History

Changed 17 months ago by tboutell

  • owner changed from boutell to tboutell

Changed 13 months ago by johnnyoffline

  • cc team@… added; rickybanister, agilbert, johnnyoffline removed
  • keywords slots, aButtonSlot added
  • priority changed from major to minor
  • version set to 1.5
  • milestone set to 1.5.1

I don't think this is an issue anymore right?

All of our parameters use that sf escaping syntax at the top of the partial.

The title lives in $options and that gets escaped.

If that's true, we can close this ticket.

Changed 6 months ago by tboutell

  • status changed from new to closed
  • resolution set to fixed

This was still an issue. XSS attacks by unscrupulous editors were possible via button slot titles. It's fixed now in [4024] [4025]

The "sf escaping syntax at the top of the partial" is there to UNescape things to make it consistent between sites where output escaping is enabled and sites where it isn't. It is OUR responsibility to escape in the core plugins' templates. A lot of our content is preescaped (both aText and aRichText slots) but other things are not (titles that just get stashed as text, for instance).

Note: See TracTickets for help on using tickets.