Broken HTML escaping in many templates
Bug #361286 reported by
Shane Hathaway
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
KARL3 |
Fix Released
|
Low
|
Chris McDonough |
Bug Description
The page templates in KARL3 often use the ${foo} syntax provided by chameleon.zpt. In chameleon.zpt 1.0b9 and earlier, ${foo} is not HTML escaped, leading to many cross site scripting vulnerabilities. Starting with 1.0b10, ${foo} will be HTML escaped, which prevents most XSS vulnerabilities, but KARL3 has many templates that need to adapt to the change. We need to fix those templates, then update to the latest version of chameleon.zpt.
Changed in karl3: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Let's put this in the pile for next week, we're pretty loaded down for this week.