Feature #7647

Escape HTML entities "<", ">", '"', "&" to prevent XSS exploits

Added by Jesús García Crespo over 5 years ago. Updated about 5 years ago.

Status:VerifiedStart date:12/03/2014
Priority:MediumDue date:
Assignee:Dan Gillean% Done:

0%

Category:Security
Target version:Release 2.2.0
Google Code Legacy ID: Tested version:2.2
Sponsored:Yes Requires documentation:

Related issues

Related to Access to Memory (AtoM) - Task #8574: Create script to scrub tags from content Verified 06/17/2015
Related to Access to Memory (AtoM) - Bug #8912: Source text provided for context in translation edit temp... New 09/03/2015

History

#2 Updated by David Juhasz over 5 years ago

  • Subject changed from Enable sf1 escaping_strategy to Escape HTML entities "<", ">", '"', "&" to prevent XSS exploits

Enable symfony 1.x entity escaping mechanism. Fix bugs where entity escaping is not desirable (e.g. routing).

#3 Updated by Jesús García Crespo over 5 years ago

  • Status changed from In progress to QA/Review
  • Assignee changed from Jesús García Crespo to Dan Gillean
  • Requires documentation changed from No to Yes

#4 Updated by Dan Gillean over 5 years ago

  • Status changed from QA/Review to Verified

This was rigorously tested in a separate site before merging. Having been merged now for over a month, I have not found any regressions that I can tie to this. I did some basic testing of several of the entities to confirm the merge, and the described entities are still being escaped. Going to consider this verified.

#5 Updated by Dan Gillean over 5 years ago

  • Tested version 2.2 added

#6 Updated by Dan Gillean about 5 years ago

  • Requires documentation deleted (Yes)
New section on this added to static pages documentation in 2.2 branch. Configuration documentation for app.yml file updated here:

#7 Updated by Dan Gillean almost 5 years ago

  • Related to Task #8574: Create script to scrub tags from content added

#8 Updated by Dan Gillean almost 5 years ago

  • Related to Bug #8912: Source text provided for context in translation edit template does not escape HTML added

Also available in: Atom PDF