We have moved to GitHub Issues
Created by Matt Brailsford 01 Dec 2015, 12:12:11 Updated by Shannon Deminick 05 Jan 2016, 10:38:14
Relates to: U4-7605
Relates to: U4-7461
In the fix for issue U4-7461 code was added to strip any potential XSS attacks, however this stripping is too agressive. Previously you could use  and () chars to in data type names to help organise your data types, however on added new data types now, these characters get stripped out.
Data types should allow  () characters, or if these still pose a threat for XSS, then this should at least be made consistent across all editable types in the back office (ie, all other node editors still allow them)
Looking at the code fix for U4-7461, I'd assume this is also the case for template files
Yes this fix was for some support clients and we can probably undo the aggressive name updates on save so long as we look through all of the code in the core to ensure that anytime any of these names are rendered (in webforms, which is the main problem) that they are html encoded.
Have allowed for chars for template and data type names/aliases. With the new content type editor the previous xss vulnerabilities are gone from that editor, though I'd like to keep most of these chars from being allowed for these names/aliases anyways.
Backwards Compatible: True
Affected versions: 7.3.2, 7.3.3
Due in version: 7.4.0, 7.3.5
Sprint: Sprint 5