cubicweb #1698245 Convert __message to _cwmsgid to increase security [resolved]
Using _cwmsgid with the message stored in the sesssion can prevent users from inserting unwanted text in a cubicweb site by using the __message variable. This ticket is the first step to removing the use of __message, convert it to cwmsgid in build_url (next step : ignore the variable when sent through GET or POST : http://www.cubicweb.org/ticket/1698261) | |
| priority | normal |
|---|---|
| type | enhancement |
| done in | 3.13.0 |
| load | 0.500 |
| load left | 0.000 |
| closed by | #cab99ccdb774 [ui messages, xss] Start migration towards use of _msgid instead of __message (prone to XSS injection) closes #1698245 |
similar entities
- cubicweb #1698261 ignore __message variable in GET or POST
- cubicweb #511718 explain why rql expr insertion doesn't work to ease security debugging
- cubicweb #2969377 [security] all add security checks must happen at commit time
- TheCubicWebBook #656194 CW Administration: how to give dynamic permissions
- cubicweb #2103684 use passlib (?)
[see all]