Uploaded image for project: 'CMS CONTENIDO'
  1. CMS CONTENIDO
  2. CON-2175

Facebook modules do not escape variables properly

    Details

      Description

      Module content_fb_embeddedpost / CMS_LINK does not escape url. Use conHtmlSpecialChars in output php for $url.

      Steps to reproduce:
      Entered url with special chars like "<", it is interpreted as html in editor

      Module script_fb_channel:
      Variable $locale is not escaped. Use conHtmlSpecialChars to escape.

      Steps to reproduce:
      Look at module and where $locale comes from. Insert a special char like "<" into source and check result.

      Module script_fb_sdk:
      Variables in templates could be escaped using Smarties escape filter. See http://www.smarty.net/docs/en/language.modifier.escape.tpl (please note the "javascript" value).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                thomas.stauer Thomas Stauer
                Reporter:
                thomas.stauer Thomas Stauer
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: