Probably a security issue if you write #13290

Open
halvid opened this Issue Feb 14, 2017 · 6 comments

Projects

None yet

3 participants

@halvid
halvid commented Feb 14, 2017 edited

Summary

If you write in the description field of a template element something like <base href="...." />, then MODX manager does not redirect correctly because it uses descriptions base url as a base url.

Step to reproduce

Create or update a template and type in the comment field <base href="[[!++site_url]]" />
Save it

Observed behavior

Create or edit a document and try to change the template.
Then once the page reloads you will forced to a wrong url that will include [[!++site_url]]

Expected behavior

It should reload the page you are loading

Environment

Latest modx version (also occurred in some versions before )

@Mark-H
Collaborator
Mark-H commented Feb 14, 2017

@halvid If you have information about a security issue, please email it to security@modx.com.

@sottwell
Contributor
sottwell commented Feb 14, 2017 edited

Doesn't happen to me, neither on localhost nor on a MODX Cloud installation. I think something is missing in your post content.

@Mark-H
Collaborator
Mark-H commented Feb 14, 2017

With the updated issue description I can reproduce.

@Mark-H Mark-H added a commit to Mark-H/revolution that referenced this issue Feb 14, 2017
@Mark-H Mark-H Encode HTML in the template description to prevent potential XSS [#13290
]
9310f41
@Mark-H
Collaborator
Mark-H commented Feb 14, 2017

Fix in #13291.

@sottwell
Contributor
sottwell commented Feb 14, 2017 edited

That's a weird one. What does the description have to do with the URL?

@halvid
halvid commented Feb 14, 2017 edited

My guess is that it has something to do with Ext JS. When we debuged the issue we found that when the page reloads the json feed includes the base url tag

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment