[#32044] - [4] revert and improve #32013 to use htmlspecialchars to prevent XSS
- Fixed in Code Base
- 8 Feb 2021
- Medium
- Build: 4.0-dev
- # 32044
- Diff
- PhilETaylor:improve32013
User tests: Successful: Unsuccessful:
Summary of Changes
[4] revert and improve #32013 to use htmlspecialchars on user supplied placeholders and use non html entity for the bullet to overcome the entity being destroyed by htmlspecialchars
Testing Instructions
Look at Joomla Global Configuration Database Password field - ensure placeholders are • and not asterisks or badly formatted
Actual result BEFORE applying this Pull Request
Potential XSS on any non-core use of this field with a user supplied $hint and $lock set to no.
Expected result AFTER applying this Pull Request
In line with all other user supplied placeholders, htmlspecialchars is applied to prevent XSS injections.
Documentation Changes Required
None.
// @brianteeman
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Layout |
| Labels |
Added:
?
|
||
Merged back 4.0-dev and fixed cs, and reverted back to bootstrap 5 version. Ready to test again.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32044.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32044.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32044.
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-02-08 08:42:46 |
| Closed_By | ⇒ | infograf768 | |
| Labels |
Added:
?
|
||
Tks
I have tested this item✅ successfully on 2fc4784
I see the bullets in the password field and the two changes to the layout file.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32044.