#127 Username XSS #130
#127 Username XSS #130
Conversation
|
Events didn't work so I needed to overwrite one of the internal functions. I've created an issue so hopefully an option will be added but till then this seems to be the best way. |
|
I don't think that escaping it globally in Powertip is a good solution, we may want to use HTML in a tooltip at a later stage. Why wouldn't escaping the username variable with Twig work instead? |
|
Twig is configured to escape everything automatically. I've also tried to escape it again but that didn't work too. As mentioned I'm hoping that a proper option is added to make it a lot easier. |
Yes, but the "strategy" can be changed to make it work 2 times: http://twig.sensiolabs.org/doc/filters/escape.html {% set strategy = 'html' %}
{% autoescape 'html' %}
{{ var|escape('html') }} {# won't be double-escaped #}
{{ var|escape(strategy) }} {# will be double-escaped #}
{% endautoescape %} |
|
I'll try to take a look at that later but I don't think that'll work too. Also I think that the global (or option wise) escaping is better, instead of multiple escaping. Depending on how the option is implemented to the library I'd add a flag attribute to the powertip elements: |
Conflicts: public/assets/js/main.js.min.map public/assets/js/main.min.js
|
Looks like this PR is now broken ;) |
|
As always xD will fix it when I'm home (haven't installed |
Conflicts: public/assets/js/main.js public/assets/js/main.js.min.map public/assets/js/main.min.js public/js/other.js
|
This has been fixed @euantorano |
#127
The XSS is in the powertip plugin we're using which allows the usage of HTML but unfortunately doesn't have a setting to display it. We need to subscribe to the render event and reescape the strings there (afaik we don't have a tooltip which has HTML). As I don't have NodeJS installed on my Laptop I need to take a look at that later.