Joomla! Issue Tracker | Joomla! CMS #19720 - [4.0] Switch escape() methods to ENT

Fixed in Code Base
18 Feb 2018
Medium
Build: 4.0-dev
# 19720
Diff
SniperSister:htmlview-escape-fix

Pending

User tests: Successful: Unsuccessful:

SniperSister
18 Feb 2018

Summary of Changes

In earlier versions, the escape method of JViewHtml, HtmlView and BaseLayout was using the ENT_COMPAT flag for escaping, which does not escape single quotes. This leads to potential XSS-issues in some situations and therefore should be changed in 4.0.

This is done with this PR.

Testing Instructions

Add echo $this->escape("'"); to a component template of your choice.
Inspect the generated markup in the browser, see the plaintext output of the single quote
Apply this patch, refresh the page
Inspect markup again, see that the quote is now escaped

Expected result

Single quotes are escaped

Actual result

Single quotes aren't escaped.

Documentation Changes Required

None

d431441 18 Feb 2018

Switch HtmlView::escape to ENT_QUOTES to also cover single quotes

7f4302d 18 Feb 2018

Applied ENT_QUOTES flag to JViewHtml

f08cd0d 18 Feb 2018

Applied fix to BaseLayout class

SniperSister - open - 18 Feb 2018

SniperSister - change - 18 Feb 2018

Status

New

⇒

Pending

joomla-cms-bot - change - 18 Feb 2018

Category

⇒

Libraries

Quy - change - 18 Feb 2018

Title

…

Switch escape() methods to ENT_QUOTES to also cover single quotes

[4.0] Switch escape() methods to ENT_QUOTES to also cover single quotes

joomla-cms-bot - edited - 18 Feb 2018

wilsonge - change - 18 Feb 2018

Status	Pending	⇒	Fixed in Code Base
Closed_Date	0000-00-00 00:00:00	⇒	2018-02-18 17:22:38
Closed_By		⇒	wilsonge
Labels	Added: ?

wilsonge - close - 18 Feb 2018

wilsonge - merge - 18 Feb 2018

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#19720] - [4.0] Switch escape() methods to ENT_QUOTES to also cover single quotes