Skip to content
Permalink
Browse files

SECURITY Sanitize messages passed to generated JS calls in FormRespon…

…se::status_message(), e.g. to avoid XSS on 'Successfully published <page title>' messages
  • Loading branch information...
chillu committed Jan 31, 2012
1 parent 84f47f5 commit 5fe7091dffa33a161cbc74ae7e73ab8ae4fa144b
Showing with 2 additions and 2 deletions.
  1. +2 −2 core/control/FormResponse.php
@@ -148,8 +148,8 @@ static function get_page($id, $form = 'Form_EditForm', $uniquenessID = null) {
* @param $status string
*/
static function status_message($message = "", $status = null) {
$JS_message = Convert::raw2js($message);
$JS_status = Convert::raw2js($status);
$JS_message = Convert::raw2js(Convert::raw2xml($message));
$JS_status = Convert::raw2js(Convert::raw2xml($status));
if(isset($JS_status)) {
self::$status_messages[$JS_status] = "statusMessage('{$JS_message}', '{$JS_status}');";
} else {

1 comment on commit 5fe7091

@sminnee

This comment has been minimized.

Copy link
Member

commented on 5fe7091 Jan 31, 2012

Looks good, as long as we acknowledge that statusMessage expects HTML not text.

Please sign in to comment.
You can’t perform that action at this time.