KARL3

Broken HTML escaping in many templates

Bug #361286 reported by Shane Hathaway on 2009-04-14

Affects		Status	Importance	Assigned to	Milestone
	KARL3	Fix Released	Low	Chris McDonough	KARL3 m11

Bug Description

The page templates in KARL3 often use the ${foo} syntax provided by chameleon.zpt. In chameleon.zpt 1.0b9 and earlier, ${foo} is not HTML escaped, leading to many cross site scripting vulnerabilities. Starting with 1.0b10, ${foo} will be HTML escaped, which prevents most XSS vulnerabilities, but KARL3 has many templates that need to adapt to the change. We need to fix those templates, then update to the latest version of chameleon.zpt.

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2009-04-14:

Let's put this in the pile for next week, we're pretty loaded down for this week.

Changed in karl3:
importance:	Undecided → Medium
milestone:	none → m11

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2009-04-21:

For now, we'll reserve M11 Medium to mean: "things to get to feature completion"

Changed in karl3:
importance:	Medium → Low

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2009-04-23:

Chris switched the index to use the new Chameleon, as well as spending lots of time fixing the ${} syntax and layout breakage.

I'll mark this closed as we don't have any next step. If there is something broken, we'll make a new issue.

Changed in karl3:
assignee:	nobody → chrism-plope
status:	New → Fix Committed

Shane Hathaway (shane-hathawaymix) on 2009-05-15

Changed in karl3:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.