Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#34481] - [4.0] Sanitization for code using insertAdjacentHTML

NPM Resource Changed ? ? ? Pending

User tests: Successful: Unsuccessful:

avatar dgrammatiko
dgrammatiko
9 Jun 2021

Pull Request for Issue # .

this is also a RELEASE BLOCKER

Summary of Changes

  • Code that injects HTML using insertAdjacentHTML should first sanitize the string

Testing Instructions

Apply the PR or download the installable package from the Github PR

  • Check that the Stats plugin works correctly (eg the first notification when you log in for the first time in the admin)
  • Check that you can select an image in the intro/fulltext position and also inside an editor

Actual result BEFORE applying this Pull Request

Code vulnerable to XSS

Expected result AFTER applying this Pull Request

Vulnerabilities mitigated

Documentation Changes Required

feca17c 9 Jun 2021 avatar dgrammatiko More
avatar dgrammatiko dgrammatiko - open - 9 Jun 2021
avatar dgrammatiko dgrammatiko - change - 9 Jun 2021
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 9 Jun 2021
Category JavaScript Repository NPM Change
avatar dgrammatiko dgrammatiko - change - 9 Jun 2021
Labels Added: NPM Resource Changed ? ?
71771aa 9 Jun 2021 avatar dgrammatiko meh
avatar dgrammatiko dgrammatiko - change - 9 Jun 2021
Labels Added: ?
Removed: ?
avatar dgrammatiko dgrammatiko - change - 10 Jun 2021
Labels Added: ?
Removed: ?
avatar brianteeman brianteeman - test_item - 10 Jun 2021 - Tested successfully
avatar brianteeman
brianteeman - comment - 10 Jun 2021

I have tested this item successfully on 9d53166

tested smart search index
tested stats plugin

(I assume the image select was removed intentionally)

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34481.

avatar dgrammatiko
dgrammatiko - comment - 10 Jun 2021

(I assume the image select was removed intentionally)

Indeed it was

avatar sandramay0905 sandramay0905 - test_item - 11 Jun 2021 - Tested successfully
avatar sandramay0905
sandramay0905 - comment - 11 Jun 2021

I have tested this item successfully on 9d53166

  • Statistics-Plugin is showing on pages until user select one button like Always
  • Images are loaded saved and shown in frontend in intro-, fulltext and editor.
  • Smartsearch-index clear and reindex of all available languages using multilangual- and blog-sample data.
    This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34481.
avatar alikon alikon - change - 11 Jun 2021
Status Pending Ready to Commit
avatar alikon
alikon - comment - 11 Jun 2021

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34481.

avatar richard67 richard67 - change - 12 Jun 2021
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2021-06-12 12:43:04
Closed_By richard67
Labels Added: ? ?
Removed: ?
avatar richard67 richard67 - close - 12 Jun 2021
avatar richard67 richard67 - merge - 12 Jun 2021
avatar richard67
richard67 - comment - 12 Jun 2021

Thanks!

Add a Comment

Login with GitHub to post a comment