fix(xss): Ensure to use the xml_escape method on entity attributes (!479) · Merge requests · cubicweb / cubicweb

Aurélien Lubert requested to merge topic/3.37/xss into branch/3.37 Aug 24, 2022

With a CWEntity, the json_dumps method retrieve the attributes as a jsonable dict.

But the string values are not correctly escape and it's possible to inject XSS with the CubicWeb autogenerated forms.

Related to #564

--HG-- branch : 3.37

Edited Aug 24, 2022 by Aurélien Lubert

fix(xss): Ensure to use the xml_escape method on entity attributes