developer.jelix.org is not used any more and exists only for history. Post new tickets on the Github account.
developer.jelix.org n'est plus utilisée, et existe uniquement pour son historique. Postez les nouveaux tickets sur le compte github.

Opened 14 years ago

Closed 13 years ago

Last modified 13 years ago

#135 closed bug (fixed)

constante name are not verified in expression in jtpl

Reported by: laurentj Owned by: laurentj
Priority: high Milestone: Jelix 1.0beta2
Component: jelix:tpl Version: 1.0 beta1
Severity: critical Keywords: template security constant
Cc: Blocked By:
Blocking: Documentation needed:
Hosting Provider: Php version:

Description

You can use php constant in expression in a template. This can be a security hole for application which allow users to upload their own template. User can then display php constant which could be contain technical information (like path declared in jelix constant).

Change History (1)

comment:1 Changed 13 years ago by laurentj

  • Resolution set to fixed
  • Status changed from new to closed

fixed in the trunk

Note: See TracTickets for help on using tickets.