Issue 9405

Title
Possible XSS code execution on Text and Char fields in sao
Priority
critical
Status
resolved
Nosy list
bch, ced, nicoe, pokoli, reviewbot, roundup-bot, sharkcz, yangoon
Assigned to
nicoe
Keywords
review

Created on 2020-06-11.17:59:01 by nicoe, last changed 5 months ago by roundup-bot.

Messages

New changeset 95b2c44dc252 by C├ędric Krier in branch 'default':
Sanitize RichtText fields content
https://hg.tryton.org/tryton-env/rev/95b2c44dc252
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2020-06-26.09:20:03
I think we can schedule the security release for 29th June at 18:00 CEST.
Author: [hidden] (nicoe) Tryton committer
Date: 2020-06-12.17:45:23
Here is the review
Author: [hidden] (nicoe) Tryton committer
Date: 2020-06-11.17:59:01
It's possible to include code in the Text and Char fields that will be interpreted when displayed in the richtext widget. It could lead to stolen session, data loss, etc.

Sanitizing the HTML code of the richtext widget should solve this issue.
History
Date User Action Args
2020-06-29 18:18:22roundup-botsetmessages: + msg58908
2020-06-29 18:08:30cedsetstatus: testing -> resolved
2020-06-26 09:20:03cedsetmessages: + msg58881
component: - trytond
2020-06-12 21:56:15cedsetstatus: chatting -> testing
2020-06-12 17:45:23nicoesetreviews: 327451002
status: unread -> chatting
messages: + msg58664
keyword: + review
2020-06-11 17:59:01nicoecreate

Showing 10 items. Show all history (warning: this could be VERY long)