fix(xss): Ensure to use the xml_escape method on entity attributes (!474) · Merge requests · cubicweb / cubicweb

With a CWEntity, the json_dumps method retrieve the attributes as a jsonable dict.

But the string values are not correctly escape and it's possible to inject XSS with the CubicWeb autogenerated forms.

Related to #564

Edited Aug 23, 2022 by Aurélien Lubert

fix(xss): Ensure to use the xml_escape method on entity attributes