Headline
CVE-2023-3822: Fix Xss in the link Editable · pimcore/pimcore@d75888a
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.4.
Expand Up
@@ -97,10 +97,10 @@ pimcore.document.editables.link = Class.create(pimcore.document.editable, {
} else if (this.data.path) {
text = this.data.path;
}
let displayHtml = Ext.util.Format.htmlEncode(text);
if (this.data.path || this.data.anchor || this.data.parameters) {
let fullpath = this.data.path + (this.data.parameters ? ‘?’ + Ext.util.Format.htmlEncode(this.data.parameters) : ‘’) + (this.data.anchor ? ‘#’ + Ext.util.Format.htmlEncode(this.data.anchor) : ‘’);
let displayHtml = Ext.util.Format.htmlEncode(text);
if (this.config.textPrefix !== undefined) {
displayHtml = this.config.textPrefix + displayHtml;
}
Expand All
@@ -110,7 +110,7 @@ pimcore.document.editables.link = Class.create(pimcore.document.editable, {
return ‘<a href="’ + fullpath + ‘" class="’ + this.config[“class”] + ' ' + Ext.util.Format.htmlEncode(this.data[“class”]) + ‘">’ + displayHtml + '</a>’;
}
return text;
return displayHtml;
},
save: function () {
Expand Down
Related news
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.4.