Database credentials are HTML-escaped #1135
Comments
|
@CraigChilds94, probably ban these characters from being entered? I don't like the idea of having someone's password as |
|
@TheBrenny If the password is never output (which it shouldn't be anyway) it doesn't matter what the password is. But I think the fundamental issue is that Anchor-CMS currently HTML-escapes parameters as soon as they come in, although they should be escaped on output. |
|
Good point. I'll look into this fairly soon, and have a chat to Craig to see if he's done a lot of work creating something of a fix. We'll determine the best method from there, but I like your idea. I don't know why I didn't think of that in the first place? 😹 |
|
This should be fixed with the merge of #1102. |
|
@Bibliofile I've merged the PR will check to make sure it's fixed. Hoping to make a release soon |
|
@Larivact Well... I just realised that having a password as a stored XSS can't work. It turns into a hash anyway. 🤣 |
|
Just checked this as well, and it seems like it's working. A heads up if people stumble upon this and think it hasn't been fixed, make sure you change the status of the account to Active. |
Try to use a password containing
',",&,<or>. It doesn't work since it gets escaped.The text was updated successfully, but these errors were encountered: