Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
| Q | A | ------------- | --- | Bug fix? | yes | Backport | 0.9, 0.10 | Tickets | #1543 | License | MIT According to #1543, there is a security issue where xss code can be executed in frontend. Enhavo already provide a twig filter `html_sanitize` to prevent xss injections, but in this case the filter is not applied to the output of the `headline` filter. The `headline` filter is marked as html safe, which is not true. To unmark it as html safe will cause bc breaks because the output will be encoded html. So we apply the sanitize routine to the headline filter to satisfy the html safe mark. Further outputs where checked as well and the `raw` filter was replaced with `html_sanitize` where html output from the user is expected.
- Loading branch information
Showing
6 changed files
with
13 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters