Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#44424] - Update admin-update-default.es6.js SanitizHTML DOM Text Interpretd as HTML

Feature Test instructions missing Updates Requested NPM Resource Changed PR-5.3-dev Pending

User tests: Successful: Unsuccessful:

avatar Shivam7-1
Shivam7-1
8 Nov 2024

Summary of Changes

In This PR Joomla.sanitizeHtml to sanitize all HTML content rendered within the application. This change improves security by preventing XSS (Cross-Site Scripting) vulnerabilities and ensures that user-generated or external HTML is safe. All relevant components have been updated for consistent sanitization, enhancing overall application integrity.

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar Shivam7-1 Shivam7-1 - open - 8 Nov 2024
avatar Shivam7-1 Shivam7-1 - change - 8 Nov 2024
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 8 Nov 2024
Category JavaScript Repository NPM Change
avatar Shivam7-1 Shivam7-1 - change - 8 Nov 2024
The description was changed
avatar Shivam7-1 Shivam7-1 - edited - 8 Nov 2024
avatar Shivam7-1 Shivam7-1 - change - 8 Nov 2024
The description was changed
avatar Shivam7-1 Shivam7-1 - edited - 8 Nov 2024
avatar Shivam7-1 Shivam7-1 - change - 11 Nov 2024
Labels Added: Test instructions missing Updates Requested NPM Resource Changed PR-5.2-dev
avatar Shivam7-1
Shivam7-1 - comment - 11 Nov 2024

Hii Reviewers @dgrammatiko
Thank You so Much For Reviewing 😃

I understand the concern about using Joomla.sanitizeHtml() without proper configuration. The intent was to sanitize potentially unsafe HTML, but I agree that it could break things when not properly configured for specific elements and their attributes. As a result, I will update the code to use textContent, which will ensure that any HTML is rendered as plain text, avoiding the potential for broken content or issues with element attributes.

I don’t have a specific test case to demonstrate an exploit, but I can explain how the issue could be tested. The potential vulnerability lies in cases where user-provided content—such as input from forms or comments—could be injected into the page and rendered without proper sanitization.

I will proceed with the change to textContent to eliminate this risk

avatar Hackwar
Hackwar - comment - 28 Nov 2024

Thank you for creating this PR, however I'm not considering this a bugfix and at this point in time I will only accept bugfixes for 5.2. Please change the PR to be against 5.3-dev. Thank you.

avatar Shivam7-1
Shivam7-1 - comment - 2 Dec 2024

Hii @Hackwar Thanks for Reviewing PR I had Changed this to 5.3-dev
Thanks

avatar Shivam7-1
Shivam7-1 - comment - 9 Dec 2024

Hii @Hackwar Thanks for Reviewing PR I had Changed this to 5.3-dev
Could You Please Review This PR again
Thanks

avatar Shivam7-1
Shivam7-1 - comment - 12 Dec 2024

Hii @Hackwar @dgrammatiko Thanks for Reviewing PR I had Done Changes According to Suggestions Could Team Review This PR again
Thanks

avatar Shivam7-1
Shivam7-1 - comment - 17 Dec 2024

Hii @Hackwar @dgrammatiko Thanks for Reviewing PR I had Done Changes According to Suggestions Could Team Review This PR again
Thanks

avatar Shivam7-1
Shivam7-1 - comment - 20 Dec 2024

Ping @dgrammatiko

avatar Shivam7-1 Shivam7-1 - change - 14 Jan 2025
Labels Added: Feature PR-5.3-dev
Removed: PR-5.2-dev

Add a Comment

Login with GitHub to post a comment