Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Relateditems pattern XSS fix #629

Merged
merged 6 commits into from Feb 11, 2016
Merged

Relateditems pattern XSS fix #629

merged 6 commits into from Feb 11, 2016

Conversation

metatoaster
Copy link
Member

The embedded template uses <%= value %> for everything which enables XSS attack. Replaced all of this with <%- value %> and made a note for <%= item %> as that contains markup generated by the breadCrumbs template. Requires pull request #628 as I need all existing test to run because overzealous cleansing broke breadCrumbs, heh.

As an aside, should better review be in place in the first place to actually not let tests be removed without proper explanation? Also maybe need some automated audit of the usage of the <%= value %> syntax as part of the tests, because I don't like XSS in my CMS. Though this second part is a difficult requirement to address at the moment as I see it.

@metatoaster
Change the comment to test skips
a5f6d4f 
- Rather than silently drop them, make a note of them to actually get
  that handled later.
@metatoaster
Patch test data with helper function, remove skip
c17138a 
- This patches up the test data with a function to add in the expected
  fields to not cause rendering errors.
- Also included is the patch to search helper function with the dummy
  json provider to restore the search by folder functionality as per
  upgrade in Products.CMFCore.
- Remove the skip designation for all affected tests within the
  relateditems pattern.

Side note:
- These "attributes" need to be really documented somewhere to either
  ensure third-party users can use this, or tell them not to.
@metatoaster
Better individual test isolation.
92660e7
@metatoaster
Demonstrate XSS vulnerability.
aaf9f16
@metatoaster
Correct XSS issue in relateditems.
a1d55bc
@metatoaster
Note this in changelog
925561f 
- Also for the structure selection well XSS fix.
@metatoaster metatoaster changed the title Relateditems pattern xss fix + uncommented all tests Relateditems pattern XSS fix + uncommented all tests Feb 11, 2016
@metatoaster metatoaster changed the title Relateditems pattern XSS fix + uncommented all tests Relateditems pattern XSS fix Feb 11, 2016
vangheem added a commit that referenced this pull request Feb 11, 2016
@vangheem
Merge pull request #629 from plone/relateditems-xss-fix
2edb615 
Relateditems pattern XSS fix
@vangheem vangheem merged commit 2edb615 into master Feb 11, 2016
@vangheem vangheem deleted the relateditems-xss-fix branch February 11, 2016 13:28
@vangheem
Copy link
Member

Thanks for this. I will say, if we have XSS in our catalog results for urls and paths, we're have other issues...

@metatoaster
Copy link
Member Author

Yes, found this out while doing my own QA on #618. This was not a fun one for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@metatoaster @vangheem