Integrate Plone20200121 hotfix: prevent XSS in title. [master]

plone / plone.app.content

Various views for Plone, such as folder_contents, as well as general content infrastructure, such as base classes and name choosers.

https://pypi.org/project/plone.app.content/

7 stars 32 forks source link

Integrate Plone20200121 hotfix: prevent XSS in title. [master] #193

Closed mauritsvanrees closed 4 years ago

mauritsvanrees commented 4 years ago

Part of https://plone.org/security/hotfix/20200121/xss-in-the-title-field-on-plone-5-0-and-higher

mister-roboto commented 4 years ago

@mauritsvanrees thanks for creating this Pull Request and help improve Plone!

To ensure that these changes do not break other parts of Plone, the Plone test suite matrix needs to pass.

Whenever you feel that the pull request is ready to be tested, either start all jenkins jobs pull requests by yourself, or simply add a comment in this pull request stating:

@jenkins-plone-org please run jobs

With this simple comment all the jobs will be started automatically.

Happy hacking!

mauritsvanrees commented 4 years ago

I will test this together with https://github.com/plone/plone.app.layout/pull/232 They can be merged separately, but they solve part of the same security issue.

For branch 3.5.x (Plone 5.1) we will need a separate branch of plone.app.layout. For plone.app.content the problem is not there on 5.1.

mauritsvanrees commented 4 years ago

@jenkins-plone-org please run jobs

mauritsvanrees commented 4 years ago

I have meanwhile merged plone/plone.app.layout#232, so they should no longer be tested together.

And I am getting a headache from Jenkins. Unrelated failures, timeouts after three hours, it sometimes seems impossible to get PRs green without trying at least five times...

mauritsvanrees commented 4 years ago

Green!