Inicio Explorar Axuda
Iniciar sesión
CityApper
/
wagtail
réplica de https://github.com/wagtail/wagtail
2
0
Fork 0
Ficheiros Incidencias 0 Wiki
Árbore: 9a5be8f180
Ramas Etiquetas
wagtail
/
docs
/
releases
/
2.9.3.rst

2.9.3.rst 1.5 KB
Histórico Raw

12345678910111213141516 
  1. ===========================
    2. 

  2. Wagtail 2.9.3 release notes
    3. 

  3. ===========================
    4. 

  4. 

  5. *July 20, 2020*
    6. 

  6. 

  7. CVE-2020-15118: HTML injection through form field help text
    8. 

  8. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    9. 

  9. 

  10. This release addresses an HTML injection vulnerability through help text in the ``wagtail.contrib.forms`` form builder app. When a form page type is made available to Wagtail editors, and the page template is built using Django's standard form rendering helpers such as ``form.as_p`` :ref:`(as directed in the documentation) <form_builder_usage>`, any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django (see the docs for :py:attr:`~django.db.models.Field.help_text`); however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation. This functionality should therefore not have been made available to editor-level users.
    11. 

  11. 

  12. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
    13. 

  13. 

  14. Site owners who wish to re-enable the use of HTML within help text (and are willing to accept the risk of this being exploited by editors) may set ``WAGTAILFORMS_HELP_TEXT_ALLOW_HTML = True`` in their configuration settings.
    15. 

  15. 

  16. Many thanks to Timothy Bautista for reporting this issue.
    17.