faces/Mod_faces.php #1

Closed
opened 1 year ago by wago · 0 comments
wago commented 1 year ago

I believe we can inject javascript code into the page through:

$from = $_GET['from'];
$to = $_GET['to'];

faces.tpl:

...
<p id="faces_date_from">{{$faces_date_from}}</p>
<p id="faces_date_to">{{$faces_date_to}}</p>
...

Should probably use function notags or escape_tags in include/text.php ? Or maybe a better way avoid XSS.

(I don't think replace_macros alters the content fields?)

I believe we can inject javascript code into the page through: ``` $from = $_GET['from']; $to = $_GET['to']; ``` faces.tpl: ``` ... <p id="faces_date_from">{{$faces_date_from}}</p> <p id="faces_date_to">{{$faces_date_to}}</p> ... ``` Should probably use function notags or escape_tags in include/text.php ? Or maybe a better way avoid XSS. (I don't think replace_macros alters the content fields?)
zot closed this issue 1 year ago
Sign in to join this conversation.
No Label
No Milestone
No Assignees
1 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.