Task #13192

Reconsider escaping strategy modification when Markdown support is enabled

Added by José Raddaoui Marín 10 months ago. Updated 9 months ago.

Status:VerifiedStart date:09/27/2019
Priority:CriticalDue date:
Assignee:-% Done:

0%

Category:Security
Target version:Release 2.5.3
Google Code Legacy ID: Tested version:2.5, 2.6
Sponsored:No Requires documentation:

Description

When we implemented the Markdown support in 2.5, the escaping strategy was causing problems to render it. Since Parsedown is running in safe mode in most of the cases, we decided to disable the escaping strategy when Markdown is enabled. Nevertheless, we are not escaping manually all user inputs and it's hard to find all the places where the user input is passed to the templates. Therefore, some XSS vulnerabilities have been found in the latest releases.

History

#1 Updated by José Raddaoui Marín 10 months ago

  • Target version deleted (Release 2.5.2)

#2 Updated by José Raddaoui Marín 10 months ago

  • Status changed from In progress to Code Review
  • Assignee changed from José Raddaoui Marín to David Juhasz

#3 Updated by Dan Gillean 10 months ago

  • Target version set to Release 2.5.3

#4 Updated by José Raddaoui Marín 10 months ago

  • Status changed from Code Review to QA/Review
  • Assignee changed from David Juhasz to Dan Gillean

Merged in qa/2.6.x.

#5 Updated by José Raddaoui Marín 10 months ago

Cherry-picked to stable/2.5.x.

#6 Updated by Dan Gillean 9 months ago

  • Status changed from QA/Review to Verified
  • Assignee deleted (Dan Gillean)

While we have identified a number of pre-existing bugs in the Permissions module, fixing them is beyond the scope of this issue - for more details, see: #13205, and the related issues attached to it.

#7 Updated by Dan Gillean 9 months ago

  • Private changed from Yes to No

Also available in: Atom PDF