Security risk of ActionParsQuoting

[DotMG]

See  http://wikkawiki.org/ActionParsQuoting By allowing a single quote to be used to delimit action parameters, we create a security hole because most of action-scripts are expecting that no double-quote can be present in parameters. For example, on actions/color.php, the code color c='white"></span><script.../><span style="display:none', passed thru echo "<span style=\"color: $colorcode\">".$mytext."</span>"; will lead to code <span style="color: '''white"></span><script.../><span style="display:none'''"></span>

All action-scripts should be secured before ActionParsQuoting integrated into new version, so I don't put milestone or version here as I don't exactly know when this beta feature is planned to be patched.

Tags: TagCanBeClosed

[DotMG]

But after taking a look in 1.1.6.0 searching for actions that would be really unsafe, only color.php remains in the list. Other files use either ReturnSafeHtml() at the end (case of table.php), or htmlspecialchars_ent and clean_Url.

[BrianKoontz]

Bumped to milestone 1.1.7 so as not to get lost...

[DotMG]

It is actually an invalid ticket, but it is a reminder of possible future problems with new actions.

[NilsLindenberg]

For this I have removed the milestone. But we better leave it open.

[DarTar]

Then, if this issue is only a minor issue affecting the {{color}} action, I suggest we change the description accordingly (so it can be used correctly as a bugfix), refer to the changeset where it was fixed, and move any other, more general issue to a new ticket.

[JavaWoman]

Changing component to actions - it's not related to any 3rd party components we include.