Skip to content

fix(xss): Ensure to use the xml_escape method on entity attributes

Aurélien Lubert requested to merge topic/3.37/xss into branch/3.37

With a CWEntity, the json_dumps method retrieve the attributes as a jsonable dict.

But the string values are not correctly escape and it's possible to inject XSS with the CubicWeb autogenerated forms.

Related to #564

--HG-- branch : 3.37

Edited by Aurélien Lubert

Merge request reports

Loading