We have moved to GitHub Issues
Created by Claus Jensen 01 Nov 2016, 10:54:49 Updated by Arnold Visser 08 Dec 2016, 13:03:19
The grid currently doesn't do input validation for the default configuration option "class".
This allows an editor to inject a script anywhere he has access to edit content using the default grid renderer. Tricking a logged in administrator into visiting the compromised page, then allows any action in the backoffice to be performed on behalf of the administrator (such as escalating access permissions for another user).
Found a few more places where it could be a problem.. fixed those too.
Note: this one ''really'' isn't necessary, since the razor renderer takes care of it, but then again... it doesn't really hurt to be completely sure and also shows good practice if anyone is using the templates as base for something else where the razor renderer checks are worked around. https://github.com/umbraco/Umbraco-CMS/commit/8bb069e996a452b2dd4fa016bca32c3ec6d933cc#diff-3215c52199fb2398f586f17d71066e82R19
Note 2: decided to make this one public as it will allow other people to use it without having to implement something from scratch... no need to keep this internal ;) https://github.com/umbraco/Umbraco-CMS/commit/8bb069e996a452b2dd4fa016bca32c3ec6d933cc#diff-8aba4e505340b4949bce3c75076b8fedR187
Left some comments for you to look at on the PR!
Updated pr with changes from comments :)
@claus @sebastiaan this seems to be causing unwanted (breaking) side effects: http://issues.umbraco.org/issue/U4-9262
Backwards Compatible: True
Affected versions: 7.2.0, 7.3.0, 7.4.0, 7.5.3, 7.5.4
Due in version: 7.5.5
Sprint: Sprint 46
Story Points: 1