Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Function argument names not escaped #2624

Closed
NeilFraser opened this issue Jul 9, 2019 · 1 comment
Closed

Function argument names not escaped #2624

NeilFraser opened this issue Jul 9, 2019 · 1 comment
Labels
component: functions type: regression
Milestone
2019_q2_release

Comments

@NeilFraser
Copy link
Contributor

blocks/procedures.js line 175 is vulnerable to injection:

          '  <field name="NAME">' + this.arguments_[i] + '</field>' +

Create a function argument called <>, close the mutator, and reopen the mutator. Mutator crashes.

@BeksOmega In general, this is why XML (and HTML) should be built up node by node, rather than as dynamically-generated strings (with a comment above to show what the goal XML should be, since node building is not easily legible).
@RoboErikG RoboErikG added this to the 2019_q2_release milestone Jul 10, 2019
@BeksOmega BeksOmega mentioned this issue Jul 10, 2019
Merged
3 tasks
@NeilFraser
Copy link
Contributor Author

Thanks for the quick patch!

@rachel-fenichel rachel-fenichel mentioned this issue Jul 15, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component: functions type: regression
Projects
None yet
Milestone
2019_q2_release
Development

No branches or pull requests
2 participants
@NeilFraser @RoboErikG