Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve template injection risks in Smarty/Vue interactions #9717

Open
asmecher opened this issue Feb 8, 2024 · 0 comments
Open

Resolve template injection risks in Smarty/Vue interactions #9717

asmecher opened this issue Feb 8, 2024 · 0 comments
Assignees
@jardakotesovec
Labels
Bug:3:Critical A bug that prevents a substantial minority of users from using the software.
Milestone
3.5 Internal

Comments

@asmecher
Copy link
Member

asmecher commented Feb 8, 2024
edited
Loading

Describe the bug
#9650 and #9421 resolved the risk of template injections in Smarty/Vue interactions with an expedient but inelegant approach to escaping Smarty variables. For the main branch we'd like to do something cleaner.

Meanwhile the fixes for #9650 and #9421 have not been merged to main!

See related: #9683
@asmecher asmecher added the Bug:3:Critical A bug that prevents a substantial minority of users from using the software. label Feb 8, 2024
@asmecher asmecher added this to the 3.5 Internal milestone Feb 8, 2024
@asmecher asmecher mentioned this issue Feb 9, 2024
Closed
@jardakotesovec jardakotesovec self-assigned this Sep 25, 2024
jardakotesovec added a commit to jardakotesovec/ui-library that referenced this issue Jan 30, 2025
@jardakotesovec
pkp/pkp-lib#10825 title supports some html tags, therefore need to us…
ca8ea5e 
…e v-html to render it. v-html will be replaced with safer version as part of the pkp/pkp-lib#9717
jardakotesovec added a commit to pkp/ui-library that referenced this issue Jan 30, 2025
@jardakotesovec
pkp/pkp-lib#10825 title supports some html tags, therefore need to us…
9ed2542 
…e v-html to render it. v-html will be replaced with safer version as part of the pkp/pkp-lib#9717
@jardakotesovec jardakotesovec mentioned this issue Jan 30, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jardakotesovec jardakotesovec

Labels
Bug:3:Critical A bug that prevents a substantial minority of users from using the software.
Projects
None yet
Milestone
3.5 Internal
Development

No branches or pull requests
2 participants
@asmecher @jardakotesovec