SS-2014-011: Folder filename injection
- Severity:
- Low (?)
- Identifier:
- SS-2014-011
- Versions Affected:
- 3.0.10, 3.1.4, master
- Versions Fixed:
- 3.0.11, 3.1.5, master
- Release Date:
- 2014-05-07
When editing files and assets in the CMS it was possible to rename a folder using invalid characters, allowing the resulting filename to be injected directly into the HTML of the page. Although the folder itself would have these invalid characters stripped, the `Title` field of folders would not be cleaned using the same method.
The fix to this issue is to ensure that the Name and Title of Folder objects are now both correctly cleaned of invalid characters.