Priority: Security
Current State: Closed
Released In: 2.1.3
Target Release: patch
If a configure item contains things like image or other HTML tags, they get rendered in the changed Items report from the extensions installer, and in the before/after report from configure Save wizard.
Reporting this as a security issue as it was reported by "somedude" as such in IRC and with a private message. An extension could inject javascript into the configure interface.
--
GeorgeClark - 22 Jan 2017
I really don't think this is necessary. If a hacker is able to munge a .spec file and add HTML, then they are able to hack the content of the package and install much evil.
The patch doesn't hurt much, I just don't think there's much point to it.
--
Main.CrawfordCurrie - 23 Jan 2017 - 15:19
True. I pointed that out. His response was
"other things are risky too" is a really bad counter-argument to a "this thing is generating bogus html"
I do recall ages ago that I was confused by the broken images in the report when I installed the
ImagePlugin, so it is a bit cleaner even if not all that significant.
--
GeorgeClark - 23 Jan 2017