-
Notifications
You must be signed in to change notification settings - Fork 93
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[SECURITY] Introduce selective argument escaping
Addresses three XSS vulnerabilities: * The "then" and "else" arguments of condition ViewHelpers were not escaped. They are now escaped based on the escapeChildren toggle of the ViewHelper, which is ON by default in subclasses of AbstractConditionViewHelper. * Content arguments in ViewHelpers which disable escapeOutput were not escaped, but values passed as child node were escaped. Both cases are now treated the same and escaping is based on escapeChildren state. * TagBased ViewHelpers allowed attribute names containing HTML if passed in "additionalAttributes" which made XSS possible by crafting array keys with HTML. Attribute names are now subjected to the same escaping as attribute values. Also fixes a couple of undesirable behaviors as well, e.g. avoids double escaping of output in some combinations of escapeOutput=true and quoted arguments.
- Loading branch information
1 parent
f5c4593
commit f20db4e
Showing
12 changed files
with
275 additions
and
68 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Note: Those signature changes are actually breaking (see https://travis-ci.com/github/neos/flow-development-collection/jobs/441172242#L1188), because downstream extensions of this class with those methods need to be changed in a way that can not be made b/c. So they need to target 2.6.10 minimum