Development

#3745 ([PATCH] sfPropelActAsCommentableBehaviorPlugin plugin is XSS vulnerable in title and author_name fields)

You must first sign up to be able to contribute.

Ticket #3745 (closed defect: fixed)

Opened 3 months ago

Last modified 3 weeks ago

[PATCH] sfPropelActAsCommentableBehaviorPlugin plugin is XSS vulnerable in title and author_name fields

Reported by: cronfy Assigned to: xavier
Priority: minor Milestone:
Component: sfPropelActAsCommentablePlugin Version: 1.1.0 RC2
Keywords: Cc:
Qualification: Unreviewed

Description

sfPropelActAsCommentableBehaviorPlugin plugin uses strip_tags() only for 'text' field, thus other fields are vulnerable to XSS attacks. Patch is trivial, I attach it to the ticket.

Attachments

fixed-xss.patch (0.7 kB) - added by cronfy on 06/13/08 20:14:21.
patch: fixes XSS vulnerability for 'title' and 'author_name' fields

Change History

06/13/08 20:14:21 changed by cronfy

  • attachment fixed-xss.patch added.

patch: fixes XSS vulnerability for 'title' and 'author_name' fields

08/11/08 13:27:38 changed by xavier

  • status changed from new to closed.
  • resolution set to fixed.

fixed in [10773].