Changes between Initial Version and Version 4 of Ticket #34514
- Timestamp:
- Apr 25, 2023, 7:16:22 AM (19 months ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #34514
- Property Resolution → invalid
- Property Status new → closed
- Property Summary `firstof` tag do not escapes variables defined in `wth` tag → `firstof` and `cycle` tags do not escapes variables defined in `wth` tag
-
Ticket #34514 – Description
initial v4 35 35 Will result in the same not escaped html with XSS. 36 36 37 The same problem with the `cycle` tag: 38 39 {{{ 40 {% with var0="<script>alert('XSS');</script>" %} 41 {% for var2 in list_var %} 42 {% cycle var0 "123" %} 43 {% endfor %} 44 {% endwith %} 45 }}} 46 47 Where ''list_var'' is just a context-defined list variable. 48 37 49 Related #17906