Details
-
Bug
-
Resolution: Fixed
-
None
-
Critical
-
Stay in field: This issue is security related!
-
Security related fix.
-
Empty show more show less
Description
problem
In application/modules/default/views/scripts/help/editordocumentation.phtml the parameter lang is used directly in content to generate HTML. This enables RXSS attacks.
solution
Ensure that only locales can be used for which file exists. So either check labg against an array of available locales, and default to english if invalid or load the available files on the disk and evaluate so the valid languages.