User tests: Successful: Unsuccessful:
The RouteHelper class uses the "String" filter to retrieve the current view name. As this name is then used in the returned link and might be outputted in plaintext i.e. in a 3rd party extension, changing that filter to cmd (which doesn't allow characters relevant for XSS) makes sense and hardens security.
Apply patch, browse through frontend and make sure that stuff still works.
View name is filtered for dangerous characters
No filtering applied
None
Status | New | ⇒ | Pending |
Category | ⇒ | Libraries |
I have tested this item
Status | Pending | ⇒ | Ready to Commit |
RTC
Status | Ready to Commit | ⇒ | Fixed in Code Base |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2018-04-01 15:33:26 |
Closed_By | ⇒ | mbabker | |
Labels |
Added:
?
?
|
I have tested this item✅ successfully on 8db7694
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/20031.