We're updating the issue view to help you get more done. 

Some HTMLHelper method still need escaping as certain values should never be HTML

Description

Ticket missed a few places where text needs to be escaped before embedded into HTML to prevent XSS attacks and markup errors. In each of the examples below, HTML should never be passed in and it is safe always escape the text to ensure any special characters are not mistaken as HTML by the browser.

  • The "meta" function's content variable.

    1 buffer.append('<meta #arguments.type#="#arguments.name#" content="#arguments.content#" />');
  • The "meta" functions content variable when an array of structs:

    1 buffer.append('<meta #arguments.name[x].type#="#arguments.name[x].name#" content="#arguments.name[x].content#" />');
  • Both places src is output in the "video" function

  • Both places src is output int he "audio" function

  • option "value" in the "options" function

    1 buffer.append('<option value="#thisValue#"');
  • Option name in the "options" function

    1 buffer.append(">#thisName#</option>");
  • JS and CSS includes in the "addAsset" function

    1 2 3 4 5 6 7 // Load Asset if( listLast(thisAsset,".") eq "js" ){ sb.append('<script src="#jsPath##thisAsset#" type="text/javascript"#asyncStr##deferStr#></script>'); } else{ sb.append('<link href="#cssPath##thisAsset#" type="text/css" rel="stylesheet" />'); }
  • The "value" parameter in the "textArea" function

Status

Assignee

Luis Majano

Reporter

Brad Wood

Labels

None

Components

Fix versions

Priority

Major