kenmirrors/firefly-iii
1
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2026-06-09 03:44:57 +00:00
Code Issues Projects Releases Wiki Activity
Files
fa6c12359510c4a26e26e1decd7f616a1231d52b
firefly-iii/resources
History
iaohkut fa6c123595 Fix stored XSS in ALE view by HTML-escaping piggy bank name 
The Twig template ale.twig rendered the piggy bank name from
AuditLogEntry.after.piggy using |raw, bypassing auto-escaping.
A user-controlled name containing HTML (e.g. <img onerror=...>)
would execute as JavaScript in any browser viewing the transaction
audit log (CWE-79).

Apply |e filter to escape only the user-controlled `name` parameter
before substitution into the trans() string. The |raw filter is
preserved because the `amount` parameter legitimately contains
<span> tags for currency styling.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 11:07:57 -04:00
..
assets
Bump @babel/plugin-transform-modules-systemjs
2026-05-09 05:54:10 +00:00
lang
🤖 Auto commit for release 'develop' on 2026-04-24
2026-04-24 05:57:09 +02:00
locales
Add locale files
2025-08-04 20:17:11 +02:00
stubs
views
Fix stored XSS in ALE view by HTML-escaping piggy bank name
2026-05-20 11:07:57 -04:00