Broken HTML escaping in many templates

Bug #361286 reported by Shane Hathaway on 2009-04-14
Affects Status Importance Assigned to Milestone
Chris McDonough

Bug Description

The page templates in KARL3 often use the ${foo} syntax provided by chameleon.zpt. In chameleon.zpt 1.0b9 and earlier, ${foo} is not HTML escaped, leading to many cross site scripting vulnerabilities. Starting with 1.0b10, ${foo} will be HTML escaped, which prevents most XSS vulnerabilities, but KARL3 has many templates that need to adapt to the change. We need to fix those templates, then update to the latest version of chameleon.zpt.

Paul Everitt (paul-agendaless) wrote :

Let's put this in the pile for next week, we're pretty loaded down for this week.

Changed in karl3:
importance: Undecided → Medium
milestone: none → m11
Paul Everitt (paul-agendaless) wrote :

For now, we'll reserve M11 Medium to mean: "things to get to feature completion"

Changed in karl3:
importance: Medium → Low
Paul Everitt (paul-agendaless) wrote :

Chris switched the index to use the new Chameleon, as well as spending lots of time fixing the ${} syntax and layout breakage.

I'll mark this closed as we don't have any next step. If there is something broken, we'll make a new issue.

Changed in karl3:
assignee: nobody → chrism-plope
status: New → Fix Committed
Changed in karl3:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers