Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Template injection vulnerability when using variables inside conditionals #1033

Closed
felipeptcho opened this issue Jul 7, 2023 · 2 comments
Closed

Comments

@felipeptcho
Copy link

I opened this issue in the posthtml-expressions repository, but it seems things are a bit slow there. Since this issue directly affects the Maizzle framework, I decided to cross-post it here as well for visibility.

See: posthtml/posthtml-expressions#149

  • Maizzle Version: 4.4.6
  • Node.js Version: 16.20.1
@cossssmin
Copy link
Member

Opening one issue in the correct repo should do it, you won’t get help faster if you duplicate it around.

Sometimes things can be slower in open source, yes. You can help speed it up with a pull request :)

@cossssmin cossssmin closed this as not planned Won't fix, can't repro, duplicate, stale Jul 7, 2023
@felipeptcho
Copy link
Author

You are just seeing one side of things. This issue doesn't affect me directly, so my only interest here is to make Maizzle users aware of this big problem. It's not always clear that Maizzle uses posthtml-expressions.

Also, this is a security issue that can be exploited. I think we should be more responsible and give it some visibility, so users can at least use the workaround. It usually should be given higher priority even in open source projects.

What can be done on Maizzle side? Having a visible ticket to track the issue is the minimum that we can do. An official note, a blog post or planning about replacing posthtml-expressions would be better. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants