harmen/hypha
1
0
Fork 0
Code Issues 142 Pull requests 4 Projects Releases Packages Wiki Activity

Apply xpath encoding where needed #263

New issue
Open
opened 2019-07-09 11:38:02 +00:00 by matthijskooijman · 0 comments
matthijskooijman commented 2019-07-09 11:38:02 +00:00 (Migrated from github.com)
Copy link

We occasionally use xpath queries in the code, inserting arbitrary (or even user-controlled) strings into the queries. To prevent issues with special characters (quotes in particular) and security problems, these strings should be encoded before inserting into xpath.

There is an encoding function available in this PR, but we should probably go over the code at some point to doublecheck every xpath query uses it when needed.

We occasionally use xpath queries in the code, inserting arbitrary (or even user-controlled) strings into the queries. To prevent issues with special characters (quotes in particular) and security problems, these strings should be encoded before inserting into xpath. There is an encoding function available [in this PR](https://github.com/PlanBCode/hypha/pull/229/commits/12973e426c8cbd88d2c3d6c3540be6be0413f28e), but we should probably go over the code at some point to doublecheck every xpath query uses it when needed.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
hypha-117
combined
Render-links-in-article-comments
base64-subject
hypha-119
festival-translation
Issue/66-paste-from-word
issue/306-Install-new-hypha-fail
datatype-tag_list
testtranslation
clarify-comment-rules
wymeditor-css
newtext-more
newtextservicemethods
pr219
searchfunctie
default_datatype
koppelting
No results found.
Labels
Clear labels   
Component: User interface

   
Component: Wymeditor

   
Help wanted

   
Level: Difficult

Structural changes, need discussion

  
Level: Easy

Under 4 hours of work

  
Level: Moderate

Under 16 hours of work

  
Pagetype: Festival

   
Pagetype: Mailinglist

   
Pagetype: Peer reviewed article

   
Pagetype: Text

   
Privacy GDPR AVG

   
status: has conflicts

   
Status: Needs changes

   
Status: Needs discussion

   
Status: Needs review

   
Status: Ready to merge

   
Status: Waiting for response

   
Type: Bug

   
Type: Enhancement

   
Type: Question

   
Usecase: De Stadsbron

   
Usecase: Koppelting

   
Usecase: MeetjeStad

   
Value: Coders

Enhancement of codebase, API, documentation

  
Value: Security

   
Value: Users

Improve user experience, add new features

  
Value: Visitors

Improve navigation, styling

No labels
Component: User interface
Component: Wymeditor
Help wanted
Level: Difficult
Level: Easy
Level: Moderate
Pagetype: Festival
Pagetype: Mailinglist
Pagetype: Peer reviewed article
Pagetype: Text
Privacy GDPR AVG
status: has conflicts
Status: Needs changes
Status: Needs discussion
Status: Needs review
Status: Ready to merge
Status: Waiting for response
Type: Bug
Type: Enhancement
Type: Question
Usecase: De Stadsbron
Usecase: Koppelting
Usecase: MeetjeStad
Value: Coders
Value: Security
Value: Users
Value: Visitors
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
harmen/hypha#263
No description provided.