 |
|
You are here: Foswiki>Tasks Web>Item845>CommentPlugin>Item13764 (10 Oct 2015, GeorgeClark)Edit Attach
Item13764: CommentPlugin should entity encode comments from guest users.
Priority: Security
Current State: Closed
Released In: 2.0.2
Target Release: patch
Current State: Closed
Released In: 2.0.2
Target Release: patch
Action needed: Any customized CommentPlugin templates should be reviewed. If you allow guests to comment, then it is critical to change the template to prevent
injection of javascript or macros in anonymous comments.
In any output templates, change encode="off" to encode="$encodeguest". The CommentPlugin will replace the token with "off" for logged in users, and "entity" for guests.
Example template change:
-%TMPL:DEF{outputoneliner}% * %<nop>URLPARAM{"comment" encode="off"}% -- %WIKIUSERNAME% - %GMTIME{"$day $month $year"}%%TMPL:END%
+%TMPL:DEF{outputoneliner}% * %<nop>URLPARAM{"comment" encode="$encodeguest"}% -- %WIKIUSERNAME% - %GMTIME{"$day $month $year"}%%TMPL:END%
ItemTemplate edit
| Summary | CommentPlugin should entity encode comments from guest users. |
| ReportedBy | GeorgeClark |
| Codebase | 2.0.1, 2.0.0 |
| SVN Range | |
| AppliesTo | Extension |
| Component | CommentPlugin |
| Priority | Security |
| CurrentState | Closed |
| WaitingFor | |
| Checkins | distro:852bed78e9bf |
| TargetRelease | patch |
| ReleasedIn | 2.0.2 |
| CheckinsOnBranches | master |
| trunkCheckins | |
| masterCheckins | distro:852bed78e9bf |
| ItemBranchCheckins | |
| Release01x01Checkins |
Edit | Attach | Print version | History: r5 < r4 < r3 < r2 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r5 - 10 Oct 2015, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy