Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[configuration] Escape values in config module #8901

Merged
merged 1 commit into from
Sep 28, 2023
Merged

[configuration] Escape values in config module #8901

merged 1 commit into from
Sep 28, 2023

Conversation

driusan
Copy link
Collaborator

@driusan driusan commented Sep 28, 2023

PR#8759 converted the escape module to use unsafeInsert/update to save data and prevent double escaping issues. The usages of the textarea were audited to make sure they were properly escaped, however the value is also displayed in the configuration module itself. Until the module is updated from smarty to react (PR#8471), they need to be escaped in the config module itself.

This adds escaping to the config module smarty template.

@driusan
[configuration] Escape values in config module
cb4445d 
PR#8759 converted the escape module to use unsafeInsert/update
to save data and prevent double escaping issues. The usages of
the textarea were audited to make sure they were properly escaped,
however the value is also displayed in the configuration module
itself. Until the module is updated from smarty to react (PR#8471),
they need to be escaped in the config module itself.

This adds escaping to the config module smarty template.
@driusan driusan added Category: Security PR or issue that aims to improve security Priority: High PR or issue should be prioritised over others for review and testing 25.0.0 - Bugs labels Sep 28, 2023
ridz1208
ridz1208 approved these changes Sep 28, 2023
View reviewed changes
Copy link
Collaborator

@ridz1208 ridz1208 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@zaliqarosli with this i feel a bit safer implementing this on CBIGR. Other changes will have to be done to secure every usage of the different config settings

@driusan driusan merged commit 72bd0fd into aces:25.0-release Sep 28, 2023
19 checks passed
@ridz1208 ridz1208 added this to the 25.0.1 milestone Nov 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ridz1208 ridz1208 ridz1208 approved these changes

Assignees

@ridz1208 ridz1208

Labels
25.0.0 - Bugs Category: Security PR or issue that aims to improve security Priority: High PR or issue should be prioritised over others for review and testing
Projects
None yet
Milestone
25.0.1
Development

Successfully merging this pull request may close these issues.
2 participants
@driusan @ridz1208