Uploaded image for project: 'translate5'
  1. translate5
  2. TRANSLATE-3022

RXSS with help page editordocumentation possible (4.1.3 p1)

XMLWordPrintable

    • Critical
    • Stay in field: This issue is security related!
    • Security related fix.

      problem

      In application/modules/default/views/scripts/help/editordocumentation.phtml the parameter lang is used directly in content to generate HTML. This enables RXSS attacks.

      solution

      Ensure that only locales can be used for which file exists. So either check labg against an array of available locales, and default to english if invalid or load the available files on the disk and evaluate so the valid languages.

            aleksandar Aleksandar Mitrev
            tlauria Thomas Lauria
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: