Bug #16949
open
Potential XSS via Backup package entry name and path values
Added by Jim Pingle about 12 hours ago.
Updated about 11 hours ago.
Description
The Backup package does not validate the name or path values for Backup location entries. It also prints the name and path values without encoding, leading to a potential XSS.
Reported by: @lujiefsi
- Description updated (diff)
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
- Added validation for backup entry values such as name and path to address XSS concerns.
- Added encoding before display for name, path, and other values.
- Rewrote action handling to use only POST for all actions so it does not take destructive actions via GET requests
- Cleaned up various other concerns and redundant code
New packages are building now for Plus 26.03.1, CE 2.8.1, and will be in snapshots next time they run.
- Private changed from Yes to No
Updated packages are now available.
Also available in: Atom
PDF