[v23] Potential XSS fix

jeffersoncasimir commented 6 days ago

The following is a patch that can potentially address the XSS vulnerability of the request_account page:

Patch for modules/login/templates/form_requestaccount.tpl:

--- form_requestaccount.tpl (original)
+++ form_requestaccount.tpl (patched)
@@ -5,9 +5,9 @@
 <div class="panel panel-default panel-center">
   <div class="panel-heading">
     <h3 class="panel-title">
-        {$page_title}
+        {$page_title|escape}
     </h3>
   </div>
   <div class="panel-body">
       {if $success}
@@ -17,9 +17,9 @@
       <a href="/" class="btn btn-primary btn-block">
         Return to Login Page
       </a>
-      <b class="text-danger">{$form.firstname.error}</b>
+      <b class="text-danger">{$form.firstname.error|escape}</b>
       <b class="text-danger">{$form.lastname.error|escape}</b>
       <b class="text-danger">{$form.from.error|escape}</b>
+      <b class="text-danger">{$form.site.error|escape}</b>

christinerogers commented 5 days ago

related to this report per Samir (Nov.22): Shen to install 23 and test the fix against these attacks, and issue the PR if it works.

kongtiaowang commented 4 days ago

This fix is not working in my VM.

kongtiaowang commented 4 days ago

This is another way to fix this issue. #9481 test from here http://wangshen-dev.loris.ca/login/request-account/

jeffersoncasimir commented 2 days ago

Replaced by above

aces / Loris

[v23] Potential XSS fix #9480