escape Message translate params value to prevent XSS attack #554
Conversation
|
@mjauvin This constitutes a breaking change, as it has been this way for ages. I would just be encouraging people to use the |
|
@bennothommo this is what twig does already by default. So if you output the variable with twig directly like so |
|
@bennothommo @mjauvin I would concur. I can't think of a single valid reason that someone would want parameters passed into the |
mjauvin
added
Status: Completed
and removed
Status: Response Needed
Status: Testing Needed
labels
|
@mjauvin Normal output of variables through Twig is escaped, but as soon as a filter is involved, it is passed through unescaped to the filter, and it then becomes the responsibility of the filter to escape the result as necessary. October allows filters (both in-built and pluign-provided) to run in HTML mode here: https://github.com/octobercms/october/blob/master/modules/system/classes/MarkupManager.php#L276 @LukeTowers while you are right in that it is unlikely, there are cases for HTML being added to the parameters for translation, like for example, super or sub-script characters for a title. Eg. Given that Twig is not only used for just user-provided variables, but also for default markup in plugin components where data might be provided by something already handling escaping, I don't think it's safe to just blanket escape everything. |
|
Hmmm, interesting counter argument @bennothommo |
|
Hmm, I missed the fact that all custom filters registered in October through the plugin registration files bypass the escape protection provided by Twig by default. That seems a bit like a foot gun to me. What would you recommend as the solution then? Should we just update the docs (both https://octobercms.com/docs/plugin/registration#extending-twig and the plugin docs) to recommend using |
|
@LukeTowers I think that's probably the only thing we can do that won't constitute a BC break for that functionality. |
|
hmm, what about escaping only if a "<script>" tag is found in the string? |
|
@mjauvin that might be too brittle a check - Javascript can be run in different ways, for example, through event handler attributes like |
|
@bennothommo true, so I guess we'll just leave the code as it is, and add a note to documentation. |
|
Still waiting for @daftspunk's input on this so we can leave it open for now. |
|
@daftspunk did you have a chance to look into this one? |
|
This is clearly an oversight in the original design, since escaped variables is the common/expected functionality. This change is fine to push through so long as everyone is made aware of the modified behavior, but importantly a workaround is in place for those that intend to have unescaped variables. What is the solution for these people? Is it to use Once a confirmed solution is in place to retain the original functionality (for the unlikely few that may want it), this can be merged and we should include appropriate guidance in the release notes. |
mjauvin
added
Status: Accepted
Status: In Progress
and removed
Status: Blocked
Status: Accepted
labels
|
@mjauvin Don't double down by adding more args to
|
Add support for transOrderBy
* make sure multi-lingual input form controls have padding-right of 44px * register asset bundle to process less files into css files * reposition language selector above textarea box * fix language selector position when commentAbove is defined
mjauvin
changed the title
|
Just as a comment, I encountered this issue when including links in a string, which I wouldn't think would be that uncommon in websites. Since this is a breaking change, would it not make more sense to change it in two steps? First introduce |
|
@multiwebinc I don't think that would help much, but we should do a better job warning users about the change. @mjauvin can you release a 1.7.0 !!! update that warns about the change? Just make the change to the version file in a PR and I'll review it and then update the marketplace. |
|
@LukeTowers does it have to be version 1.7.0 ? My next milestone is 1.6.11 |
|
@mjauvin technically it should be 2.0.1, it's a bit of a breaking change. Feel free to rename 1.6.11 to 1.7.0 and move any un-finished issues to 1.7.1. It's not quite semantic versioning but it's a bit more accurate than changing just the minor version number. |
|
@LukeTowers do you actually want me to create a release or just a PR with the version.yaml update? |
|
@mjauvin just make it a new release. |
|
@LukeTowers do you still want to approve PR #573 before I cut the release? |
Fixes #553