Uploaded image for project: 'translate5'
  1. translate5
  2. TRANSLATE-3022

RXSS with help page editordocumentation possible (4.1.3 p1)

    XMLWordPrintable

Details

    • Critical
    • Stay in field: This issue is security related!
    • Security related fix.

    Description

      problem

      In application/modules/default/views/scripts/help/editordocumentation.phtml the parameter lang is used directly in content to generate HTML. This enables RXSS attacks.

      solution

      Ensure that only locales can be used for which file exists. So either check labg against an array of available locales, and default to english if invalid or load the available files on the disk and evaluate so the valid languages.

      Attachments

        Activity

          People

            aleksandar Aleksandar Mitrev
            tlauria Thomas Lauria
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: