Item14287: Configure needs to encode reported configuration values.

If a configure item contains things like image or other HTML tags, they get rendered in the changed Items report from the extensions installer, and in the before/after report from configure Save wizard.

Reporting this as a security issue as it was reported by "somedude" as such in IRC and with a private message. An extension could inject javascript into the configure interface. -- GeorgeClark - 22 Jan 2017

I really don't think this is necessary. If a hacker is able to munge a .spec file and add HTML, then they are able to hack the content of the package and install much evil.

The patch doesn't hurt much, I just don't think there's much point to it.

-- Main.CrawfordCurrie - 23 Jan 2017 - 15:19

True. I pointed that out. His response was

"other things are risky too" is a really bad counter-argument to a "this thing is generating bogus html"

I do recall ages ago that I was confused by the broken images in the report when I installed the ImagePlugin, so it is a bit cleaner even if not all that significant.

-- GeorgeClark - 23 Jan 2017

Commenting is disabled while not logged in