Permalink
Browse files

Fix missing escaping (possible XSS) of category names in the Backend

Entry Admin, which would allow editors that create a forged
category name to attack other editors in the backend (privileged
access to the backend required).
Thanks a lot to Edric Teo for reporting this issue.
  • Loading branch information...
garvinhicking committed Mar 12, 2015
1 parent eb7d9c8 commit a30886d3bb9d8eeb6698948864c77caaa982435d
Showing with 7 additions and 1 deletion.
  1. +6 −0 docs/NEWS
  2. +1 −1 templates/2k11/admin/entries.tpl
@@ -3,6 +3,12 @@
Version 2.0.1 ()
------------------------------------------------------------------------

* Fix missing escaping (possible XSS) of category names in the Backend
Entry Admin, which would allow editors that create a forged
category name to attack other editors in the backend (privileged
access to the backend required).
Thanks a lot to Edric Teo for reporting this issue.

* Improved detection for possible upgrade/plugin/PHP errors. A
warning will be emitted on the dashboard, when the Serendipity
JavaScript-library could not be loaded.
@@ -141,7 +141,7 @@
<span class="cat_view_pad">{$entry_cat.depth_pad}</span>
<input id="serendipity_category_{$entry_cat.categoryid}" name="serendipity[categories][]" type="checkbox" value="{$entry_cat.categoryid}"{if $entry_cat.is_selected} checked="checked"{/if}>

<label for="serendipity_category_{$entry_cat.categoryid}">{$entry_cat.category_name}</label>
<label for="serendipity_category_{$entry_cat.categoryid}">{$entry_cat.category_name|escape}</label>
</div>
{/foreach}
</fieldset>

0 comments on commit a30886d

Please sign in to comment.