Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EmbedShortcodeProvider templates should hardcode attributes #10718

Closed
emteknetnz opened this issue Mar 6, 2023 · 1 comment
Closed

EmbedShortcodeProvider templates should hardcode attributes #10718

emteknetnz opened this issue Mar 6, 2023 · 1 comment
Assignees
@maxime-rainville
Labels
affects/v5 impact/medium type/api-break

Comments

@emteknetnz
Copy link
Member

emteknetnz commented Mar 6, 2023
edited
Loading

Deprecated code was added for CVE-2022-38724

https://github.com/silverstripe/silverstripe-framework/pull/10583/files#diff-d0d2867af6bff9ad7e4ced04d5491feea4b4efec408b6e96b37e4f5eb46914ecR37

On the original security issue (private) it was said the deprecate code was added for CMS 4 and in CMS 5 the EmbedShortcodeProvider_*.ss templates would hardcode the attributes

Currently this hasn't been done e.g. EmbedShortcoderProvider_video.ss is

  <% loop $Attributes %> {$Name}="{$Value}"<% end_loop %>

We should either:
a) Hardcode attributes in templates and remove deprecated config/code
b) Undeprecate the attribute whitelist

Acceptance Criteria

  • Implement option A - Hardcode attributes in templates and remove deprecated config/code

PRs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maxime-rainville maxime-rainville

Labels
affects/v5 impact/medium type/api-break
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@maxime-rainville @emteknetnz @GuySartorelli