U4-7477 - xss char stripping on data type names is being too agressive

Created by Matt Brailsford 01 Dec 2015, 12:12:11 Updated by Shannon Deminick 05 Jan 2016, 10:38:14

Relates to: U4-7605

Relates to: U4-7461

In the fix for issue U4-7461 code was added to strip any potential XSS attacks, however this stripping is too agressive. Previously you could use [] and () chars to in data type names to help organise your data types, however on added new data types now, these characters get stripped out.

Data types should allow [] () characters, or if these still pose a threat for XSS, then this should at least be made consistent across all editable types in the back office (ie, all other node editors still allow them)


Matt Brailsford 01 Dec 2015, 12:45:52

Looking at the code fix for U4-7461, I'd assume this is also the case for template files

Shannon Deminick 14 Dec 2015, 09:17:53

HI all,

Yes this fix was for some support clients and we can probably undo the aggressive name updates on save so long as we look through all of the code in the core to ensure that anytime any of these names are rendered (in webforms, which is the main problem) that they are html encoded.

Shannon Deminick 16 Dec 2015, 11:57:50

Have allowed for chars for template and data type names/aliases. With the new content type editor the previous xss vulnerabilities are gone from that editor, though I'd like to keep most of these chars from being allowed for these names/aliases anyways.

Shannon Deminick 16 Dec 2015, 11:58:51

PR: https://github.com/umbraco/Umbraco-CMS/pull/959

Priority: Normal

Type: Bug

State: Fixed


Difficulty: Normal


Backwards Compatible: True

Fix Submitted:

Affected versions: 7.3.2, 7.3.3

Due in version: 7.4.0, 7.3.5

Sprint: Sprint 5

Story Points: