problem

~~TRANSLATE-283~~ was not solved completely. For some fields PXSS is prevented, for some not.

In the re-test at least in the POST of language resources PXSS still exist.

That can be easily be tested by adding some html like bold to the input and save it.

If the html remains after reloading the grid, then the PXSS still is there and must be fixed / checked why. It should be solved in general by the Input sanitizer.

The consequence is, that we have to test all fields manually!

Also we should add that to the tests by modify existing tests and add there html to the input data - in the best case its stripped and in the test comparsion part there is no need to do any change at all.

Attachments

Issue Links

is caused by

TRANSLATE-283 XSS Protection in translate5

Done

relates to

TRANSLATE-4129 Quotation marks and apostrophes in comments are escaped

Selected for dev

TRANSLATE-3964 Prevent PXSS in filenames

Done

TRANSLATE-4129 Quotation marks and apostrophes in comments are escaped

Selected for dev

TRANSLATE-4110 Add escaping html on TM Maintenance page

Selected for dev

Activity

People

Assignee:: Sanya Mikhliaiev

Reporter:: Thomas Lauria

Peer developer:: Thomas Lauria

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 21/Nov/2023 03:24

Updated:: 30/Aug/2024 06:34

Resolved:: 29/Jan/2024 12:47