Uploaded image for project: 'CMS CONTENIDO'
  1. CMS CONTENIDO
  2. CON-2219

Content injection in backend using module template filenames

    Details

      Description

      JS injection on unix systems is possible:
      Try filename: test2"<aa.html

      Microsoft Windows does not allow " in filename and &qout; is not unescaped to " and is therefore not affected.

      Check markup and escape content properly.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                thomas.stauer thomas.stauer
                Reporter:
                thomas.stauer thomas.stauer
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: