Fix to CVE-2022-34297 - Githubissues

yiisoft / yii2-gii

Yii 2 Gii Extension

http://www.yiiframework.com

BSD 3-Clause "New" or "Revised" License

202 stars 192 forks source link

Fix to CVE-2022-34297 #509

Closed cgsmith closed 1 year ago

cgsmith commented 1 year ago

Q	A
Is bugfix?	✔️
New feature?	❌
Breaks BC?	❌
Fixed issues

This patches the issue as identified in this report https://nvd.nist.gov/vuln/detail/CVE-2022-34297

what-the-diff[bot] commented 1 year ago

Added a filter to the messageCategory attribute in Generator.php, ExtensionGenerator.php and FormGenerator.php
The filter strips all HTML tags from the input value of this attribute

cgsmith commented 1 year ago

I had to modify the composer.json file to as it appears there is an update to composer where you need to explicitly allow plugins. Looking into the failures on php 5.4 and 5.5 builds.

rob006 commented 1 year ago

I proposed better fix in https://github.com/yiisoft/yii2-gii/pull/510.

Also, I was not able to make this XSS persistent, which was suggested by original report.

samdark commented 1 year ago

Fixed by https://github.com/yiisoft/yii2-gii/pull/510

Big thanks for the PR and for highlighting the issue.