Reconsider escaping strategy modification when Markdown support is enabled
|Target version:||Release 2.5.3|
|Google Code Legacy ID:||Tested version:||2.5, 2.6|
When we implemented the Markdown support in 2.5, the escaping strategy was causing problems to render it. Since Parsedown is running in safe mode in most of the cases, we decided to disable the escaping strategy when Markdown is enabled. Nevertheless, we are not escaping manually all user inputs and it's hard to find all the places where the user input is passed to the templates. Therefore, some XSS vulnerabilities have been found in the latest releases.
#6 Updated by Dan Gillean over 2 years ago
- Status changed from QA/Review to Verified
- Assignee deleted (
While we have identified a number of pre-existing bugs in the Permissions module, fixing them is beyond the scope of this issue - for more details, see: #13205, and the related issues attached to it.