Feature #7647
Escape HTML entities "<", ">", '"', "&" to prevent XSS exploits
| Status: | Verified | Start date: | 12/03/2014 | |
|---|---|---|---|---|
| Priority: | Medium | Due date: | ||
| Assignee: | Dan Gillean | % Done: | 0% | |
| Category: | Security | |||
| Target version: | Release 2.2.0 | |||
| Google Code Legacy ID: | Tested version: | 2.2 | ||
| Sponsored: | Yes | Requires documentation: |
Related issues
History
#2 Updated by David Juhasz over 7 years ago
- Subject changed from Enable sf1 escaping_strategy to Escape HTML entities "<", ">", '"', "&" to prevent XSS exploits
Enable symfony 1.x entity escaping mechanism. Fix bugs where entity escaping is not desirable (e.g. routing).
#3 Updated by Jesús García Crespo over 7 years ago
- Status changed from In progress to QA/Review
- Assignee changed from Jesús García Crespo to Dan Gillean
- Requires documentation changed from No to Yes
Fixed in https://github.com/artefactual/atom/commit/0fb9a592a32d5c6215ecd606b530ddc7013e2b4b.
Pull request: https://github.com/artefactual/atom/pull/76. See also #7699.
#4 Updated by Dan Gillean about 7 years ago
- Status changed from QA/Review to Verified
This was rigorously tested in a separate site before merging. Having been merged now for over a month, I have not found any regressions that I can tie to this. I did some basic testing of several of the entities to confirm the merge, and the described entities are still being escaped. Going to consider this verified.
#5 Updated by Dan Gillean about 7 years ago
- Tested version 2.2 added
#6 Updated by Dan Gillean about 7 years ago
- Requires documentation deleted (
Yes)
New section on this added to static pages documentation in 2.2 branch.
Configuration documentation for app.yml file updated here:
#7 Updated by Dan Gillean over 6 years ago
- Related to Task #8574: Create script to scrub tags from content added
#8 Updated by Dan Gillean over 6 years ago
- Related to Bug #8912: Source text provided for context in translation edit template does not escape HTML added