cubicweb #1698245 Convert __message to _cwmsgid to increase security [resolved]
Using _cwmsgid with the message stored in the sesssion can prevent users from inserting unwanted text in a cubicweb site by using the __message variable. This ticket is the first step to removing the use of __message, convert it to cwmsgid in build_url (next step : ignore the variable when sent through GET or POST : http://www.cubicweb.org/ticket/1698261) | |
| priority | normal |
|---|---|
| type | enhancement |
| done in | 3.13.0 |
| load | 0.500 |
| load left | 0.000 |
| closed by | #cab99ccdb774 [ui messages, xss] Start migration towards use of _msgid instead of __message (prone to XSS injection) closes #1698245 |
similar entities
- cubicweb #1698261 ignore __message variable in GET or POST
- cubicweb-mercurial-server mercurial-server integration cube
- cubicweb-openidrelay #2502648 info log prints out password in log
- cubicweb #3770459 ldapfeed ignores ssl/tls certificates
- cubicweb #370633 e-mail adress should not be visible in the url
[see all]