New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Further fixes for grave character security protection #4356
Comments
Does this affect any other areas? |
|
@ddb4github, didn't I propose and didn't we implement a str_replace() on the graves character? |
If you look more closely though, I think he's saying that the filter_value calls we have don't use html_escape so if any of the filter_values are reused in display, they would allow XSS. |
I was unable to reproduce this myself, so I have basically applied the same code in filter_value as was present in html_escape. This will make the filters align better as well so it should be a win win scenario. |
That's cause we fixed it already ;) |
Here is the commit that fixed the graves issue. Going to close this as duplicate. |
This isn't a duplicate. It's applying the fix to the filter_value() function. |
Yea, I noted that. |
Confused as you said it was a duplicate. |
Describe the bug
Name column does not escape grave(`) char.
Example:
Graph Item Inputs-->Name column, cruly braces(})
Example:
To Reproduce
Hardly reproduce under Firefox/Chrome
The text was updated successfully, but these errors were encountered: