Cross-Site Scripting v1.3.6 about processwire HOT 11 CLOSED

@zxc7528064 commenting again and again won't get you an answer any quicker. Either wait for an answer or as ryan suggested above write an email. Generally I'd suggest not having to much hope. I've never seen processwire interact with CVE nor is this considered a security issue as explained by ryan previously.

from processwire.

It's an error in terms of being unintended.
It's not a security issue though, as you need login credentials to get to that part of processwire. Authenticated users in processwire are trusted. A malicious user should not even get to login to the system in the first place.

At least you have to reply to respect

You're not entitled to anything here. This is a open source project. People invest whatever they think is right not what other people think may be right. Also ryan is one of those OSS maintainers, who's using GitHub only sparsely. I have PRs, which are open for years, which never did receive a response.

from processwire.

@ryancramerdesign

from processwire.

Thanks @zxc7528064, good find, I've pushed a fix for that to our dev branch. PW's admin is built specifically as a trusted user only environment, so if the goal is to insert markup of any kind like this, then there are several perhaps easier ways to do it from the admin. But those ways are expected and intended as part of the admin functions. And the one you pointed out here is not specifically intended, and worthwhile to fix, thanks for letting me know.

from processwire.

@ryancramerdesign Thank you for your attention to this security issue.

from processwire.

@ryancramerdesign Do you fix the Security issue ?

from processwire.

@zxc7528064 The bug was fixed a few weeks ago, 4-5 minor versions back on on our dev branch, and will migrate with many other updates to the master branch on the next major version. Taken in the context of this particular trusted user/admin environment, it does not open any new doors necessary for us to label it a security issue. But I appreciate the time you took to report, it's a good bug fix regardless. I don't actively monitor this part of GitHub, but feel free to email me if you have any questions or comments. Thanks.

from processwire.

@ryancramerdesign
Can I use the Security Issue to apply a CVE Number ? @@

from processwire.

@ryancramerdesign Do you receive my information ?

from processwire.

@LostKobrakai At least you have to reply to respect，If it’s not an error, then he shouldn’t fix it .

from processwire.

@LostKobrakai I mean at least to reply can I? If not, then I will not force it. This is the basic respect, and I am very grateful for your speech.

from processwire.