EasyAdminBundle icon indicating copy to clipboard operation
EasyAdminBundle copied to clipboard

Published 20 hours ago verified publisher icon EasyCorp

Escape the contents of the default title pages regression

Open Ollie222 opened this issue 2 years ago • 1 comments

In #5184 a fix was implemented to escape the contents of the default title pages by removing the raw tag in detail, edit, index and new.html twig files. This was in commit 2965e9c https://github.com/EasyCorp/EasyAdminBundle/commit/2965e9cd090639d070d5bc68d9aa6f78f857885b

In commit 7596f24 https://github.com/EasyCorp/EasyAdminBundle/commit/7596f24fe5a4a167786d4c3f442e6d2da2119f0a 'Allow Translatable objects in addition to string in translated context' this looks to have reversed the changes made in 2965e9c meaning that XSS is now possible with the page title.

Was there a reason for doing this or is it just a bug that's been missed?

Ollie222 avatar May 23 '23 12:05 Ollie222

We just had a security audit which reported this issue (we have a __string() on our entity )

allan-simon avatar Apr 02 '24 17:04 allan-simon