Template.pm allows insertion of current file path in header or footer page area through $pathname substitution variable. This current file path is inserted "as is", without check for "dangerous" characters such as < > &, allowing arbitrary HTML code insertion through a carefully crafted path.
Presently, no shipping template uses this substitution variable. Moreover, routine clean_path (called during initialisation) purges from the path name any character outside a very restricted set (the offending characters are thus removed). Consequently, probability of bad behaving HTML or XSS is very low. However, restrictions on file names may be relaxed; better be strict.
Implement a new template expanding function to HTML-protect characters < > &.
Note: CVS shows that this potential bug is present from the beginning (releases 0.8 to 1.2.0!) despite character filtering.
Log in to post a comment.