Changes between Initial Version and Version 4 of Ticket #34514


Ignore:
Timestamp:
Apr 25, 2023, 7:16:22 AM (20 months ago)
Author:
Алексей Поклонский
Comment:

The same problem with the cycle tag.

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #34514

    • Property Resolutioninvalid
    • Property Status newclosed
    • Property Summary `firstof` tag do not escapes variables defined in `wth` tag`firstof` and `cycle` tags do not escapes variables defined in `wth` tag
  • Ticket #34514 – Description

    initial v4  
    3535Will result in the same not escaped html with XSS.
    3636
     37The same problem with the `cycle` tag:
     38
     39{{{
     40{% with var0="<script>alert('XSS');</script>" %}
     41{% for var2 in list_var %}
     42{% cycle var0 "123" %}
     43{% endfor %}
     44{% endwith %}
     45}}}
     46
     47Where ''list_var'' is just a context-defined list variable.
     48
    3749Related #17906
Back to Top