Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
15.9-rc-1
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
As a user without script right, create a page with content:
{{content source="string:{{velocity~}~}Evil content{{/velocity~}~}"}}{{/content}}
As an admin user, edit the page.
Expected result:
There is a warning about the "Evil content" script.
Actual result:
There is no warning and after saving or after inserting a macro in the WYSIWYG editor, the "Evil content" script is executed.
Additionally, the syntax that is specified in the syntax parameter isn't taken into consideration when analyzing the content macro's content.
Attachments
Issue Links
- links to