The tags and multiselect fields allow to select tags from an autocompleted list. The tags field also allows to enter new tags or edit existing tags. Kirby already handled escaping of the autocompleted tags, but unfortunately the Panel used HTML rendering for new or edited tags as well as for custom tags from the content file.
This allowed attackers with Panel access to store malicious HTML code in a tag. The browser of the victim who visited the modified page in the Panel will then have rendered this malicious HTML code.
It also allowed self-inflicted XSS attacks in the tags field (meaning that malicious code is executed in the browser of the user who entered it). This could be used in social engineering attacks where a victim is convinced by an attacker to enter malicious code into a tags field.
Visitors without Panel access could only use this attack vector if your site allows changing the content of a tags or multiselect field from a frontend form (for example user self-registration or the creation of pages from a contact or other frontend form). If you validate or sanitize the provided form data, you are already protected against such attacks by external visitors.
You are also not affected by these vulnerabilities if your site doesn't have untrustworthy users with Panel access or a way to modify field values from the frontend or if you don't use the tags or multiselect fields.
Note: The fixes for these vulnerabilities have the side effect that values in the tags and multiselect fields that come from dynamic options are displayed with double escaping (e.g. the & character is displayed as &). We will fix the double escaping issues with a refactoring of the options fields (tags, multiselect, checkboxes, radio, select and toggles) in Kirby 3.8.
🎉 Features
Added support for hot module reloading (HMR) during plugin development using kirbyup#4541
New Helpers::handleErrors() method for custom PHP error handling #4569
New F::unlink() method for idempotent deletion of files and links (native PHP unlink() without a warning when the file is already deleted) #4569
k-text has a new html prop to pass content that should be rendered as HTML (instead of providing text via the default slot). Use carefully as rendering HTML can be a gateway for XSS attacks. #4578
The text block field input is now extendable in the blueprint #3016
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/mauricerenck/komments/network/alerts).
Bumps getkirby/cms from 3.7.0.2 to 3.7.4.
Release notes
Sourced from getkirby/cms's releases.
... (truncated)
Commits
44158e8
Update translations1aaef26
Update version number50ab654
Update dist files110525e
Fix XSS issue in the MultiselectInputcefb8fe
Fix XSS issue in the TagsInput04e9f52
Handle URL encoding in theParams
classf16e064
Merge pull request #4593 from getkirby/fix/unlink0db18b7
Merge pull request #4594 from getkirby/fix/k-text-html3f805a6
Alphabetical reordering406bd0c
FixF::remove()
with non-existing filesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/mauricerenck/komments/network/alerts).