You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
as jsPath reassembles something like values.breaking-text.
How to reproduce
Create a blueprint with a Bard field having a handle breaking-text.
Create an entry
Click save
Better don't ask what happens when handle is bard_field;alert("hacked").
This is a stored XSS issue as you can put any JS code in the handle!
Logs
ReferenceError: text is not defined
This started to happen somewhere around statamic 3.3.40 I would say and is still valid in 3.4.
In earlier versions (incl. v2) this was not an issue.
Bug description
Saving an entry shows a toasty with an error message of «ReferenceError: text is not defined» (text depends on the fieldname)
Error happens on this line
cms/resources/js/components/publish/Values.js
Line 77 in 24aca57
as
jsPath
reassembles something likevalues.breaking-text
.How to reproduce
breaking-text
.Better don't ask what happens when handle is
bard_field;alert("hacked")
.This is a stored XSS issue as you can put any JS code in the handle!
Logs
ReferenceError: text is not defined This started to happen somewhere around statamic 3.3.40 I would say and is still valid in 3.4. In earlier versions (incl. v2) this was not an issue.
Environment
Installation
Fresh statamic/statamic site via CLI
Antlers Parser
runtime (new)
Additional details
No response
The text was updated successfully, but these errors were encountered: