Will this be fixed in the next version or will there be a new update package? Of course, you can (for the time being) temporarily exchange relevant code.

Will this be fixed in the next version or will there be a new update package?

Not my decision. Just another sloppy JSST security fix :-(

Out of curiosity why is this a security problem or even a problem at all?

Template editing is allowed only from Super Users. Also, this field accepts only a URL path, so I find this extremely weird that a superuser decides to alter the logo and inject faulty code. Or it's just me...

Ask the @joomla/security JSST team. Im not part of that team. Im not privileged to see the original reports.

I know as much as everyone else - and that is its "Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error pages" as per https://developer.joomla.org/security-centre/850-20210401-core-escape-xss-in-logo-parameter-error-pages.html

@dgrammatiko I was about asking the same question myself. Don't we trust super users anymore ?

@PhilETaylor I'm not trying to blame you here, just to understand why this is treated as insecure

Edit also why there's no validator/sanitiser for media field: https://github.com/joomla/joomla-cms/tree/staging/libraries/src/Form/Rule

I have tested this item ✅ successfully on c305311

Why has htmlspecialchars($this->params->get('sitetitle')) (also line 82) no ENT_QUOTES or ENT_COMPAT ?
In other places this is done in the Joomla code !

@sandewt your comment is unrelated to this PR.

ENT_COMPAT is the default value of $flags https://www.php.net/htmlspecialchars

@sandewt your comment is unrelated to this PR.

Right.

ENT_COMPAT is the default value of $flags https://www.php.net/htmlspecialchars

Of course supplemented with UTF8

I have tested this item ✅ successfully on c305311

RTC