? ? Pending

User tests: Successful: Unsuccessful:

avatar SniperSister
SniperSister
30 Mar 2018

Summary of Changes

The RouteHelper class uses the "String" filter to retrieve the current view name. As this name is then used in the returned link and might be outputted in plaintext i.e. in a 3rd party extension, changing that filter to cmd (which doesn't allow characters relevant for XSS) makes sense and hardens security.

Testing Instructions

Apply patch, browse through frontend and make sure that stuff still works.

Expected result

View name is filtered for dangerous characters

Actual result

No filtering applied

Documentation Changes Required

None

avatar SniperSister SniperSister - open - 30 Mar 2018
avatar SniperSister SniperSister - change - 30 Mar 2018
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 30 Mar 2018
Category Libraries
avatar zero-24
zero-24 - comment - 30 Mar 2018

I have tested this item successfully on 8db7694


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/20031.

avatar zero-24 zero-24 - test_item - 30 Mar 2018 - Tested successfully
avatar Quy
Quy - comment - 30 Mar 2018

I have tested this item successfully on 8db7694


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/20031.

avatar Quy Quy - test_item - 30 Mar 2018 - Tested successfully
avatar Quy Quy - change - 30 Mar 2018
Status Pending Ready to Commit
avatar Quy
Quy - comment - 30 Mar 2018

RTC


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/20031.

avatar mbabker mbabker - change - 1 Apr 2018
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2018-04-01 15:33:26
Closed_By mbabker
Labels Added: ? ?
avatar mbabker mbabker - close - 1 Apr 2018
avatar mbabker mbabker - merge - 1 Apr 2018

Add a Comment

Login with GitHub to post a comment