Feeling Lucky
Test instructions missing
Updates Requested
NPM Resource Changed
PR-5.2-dev
[#44424] - Update admin-update-default.es6.js SanitizHTML DOM Text Interpretd as HTML
- Pending
- Medium
- Build: 5.2-dev
- # 44424
- Diff
- Shivam7-1:patch-5
User tests: Successful: Unsuccessful:
Summary of Changes
In This PR Joomla.sanitizeHtml to sanitize all HTML content rendered within the application. This change improves security by preventing XSS (Cross-Site Scripting) vulnerabilities and ensures that user-generated or external HTML is safe. All relevant components have been updated for consistent sanitization, enhancing overall application integrity.
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | JavaScript Repository NPM Change |
| Labels |
Added:
Test instructions missing
Updates Requested
NPM Resource Changed
PR-5.2-dev
|
||
Hii Reviewers
Thank You so Much For Reviewing 😃
I understand the concern about using Joomla.sanitizeHtml() without proper configuration. The intent was to sanitize potentially unsafe HTML, but I agree that it could break things when not properly configured for specific elements and their attributes. As a result, I will update the code to use
textContent, which will ensure that any HTML is rendered as plain text, avoiding the potential for broken content or issues with element attributes.I don’t have a specific test case to demonstrate an exploit, but I can explain how the issue could be tested. The potential vulnerability lies in cases where user-provided content—such as input from forms or comments—could be injected into the page and rendered without proper sanitization.
I will proceed with the change to
textContentto eliminate this risk