Feeling Lucky
?
?
[#20031] - Changed viewname filter in RouteHelper
- Fixed in Code Base
- 1 Apr 2018
- Medium
- Build: staging
- # 20031
- Diff
- SniperSister:routehelperfilterfix
- Pending continuous-integration/drone/pr this build is pending Details
User tests: Successful: Unsuccessful:
Summary of Changes
The RouteHelper class uses the "String" filter to retrieve the current view name. As this name is then used in the returned link and might be outputted in plaintext i.e. in a 3rd party extension, changing that filter to cmd (which doesn't allow characters relevant for XSS) makes sense and hardens security.
Testing Instructions
Apply patch, browse through frontend and make sure that stuff still works.
Expected result
View name is filtered for dangerous characters
Actual result
No filtering applied
Documentation Changes Required
None
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Libraries |
Quy
- comment
- 30 Mar 2018
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/20031.
| Status | Pending | ⇒ | Ready to Commit |
Quy
- comment
- 30 Mar 2018
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/20031.
mbabker
- | Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2018-04-01 15:33:26 |
| Closed_By | ⇒ | mbabker | |
| Labels |
Added:
?
?
|
||
I have tested this item✅ successfully on 8db7694
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/20031.