Closed d--j closed 4 years ago
Submission::getEditorUrl and Submission::getPublisherUrl are missing HTML escaping. This can easily be exploited by a malicious editor.
Submission::getEditorUrl
Submission::getPublisherUrl
https://github.com/verbb/workflow/blob/a3cbb2b65ee88b8bef6a15b879292c325d119d01/src/elements/Submission.php#L168-L181
Editor changes her user profile, adds malicious stuff like the following:
The next time a publisher accesses the submission list:
Fixed in 1.3.0
engram-design
commented
4 years ago engram-design
commented
4 years ago
Description
Submission::getEditorUrlandSubmission::getPublisherUrlare missing HTML escaping. This can easily be exploited by a malicious editor.https://github.com/verbb/workflow/blob/a3cbb2b65ee88b8bef6a15b879292c325d119d01/src/elements/Submission.php#L168-L181
Steps to reproduce
Editor changes her user profile, adds malicious stuff like the following:
The next time a publisher accesses the submission list:
Additional info