Wed 03 Jun 2009 |
Version 1.5.11 (Finally)
Written by Mark Dexter
Version 1.5.11 has just been released having taken a little longer at the end than we originally planned. The main reason for it was a very large patch for issue # 15736.
This issue in on the borderline between a low-level security fix and a "best-practices" fix. We discovered that there were a lot of places in the layouts where we were not "escaping" certain values during output.
For those of you who are not familiar with this, "escaping" is jargon for using either the PHP "htmlspecialchars" or "htmlentities" commands to convert things like quotes to """, ampersands (&) to "&" and less-than or greater-than (<, >) to "<" and ">". Escaping certain values during output keeps your HTML code valid and, in some cases, can protect you from security attacks.
When reviewing the code for this issue, we discovered that values like section title, category title, author alias, and class suffix were not consistently escaped when displayed in the layouts. So we decided to fix this in all of the layout files. The result was a patch that changes 445 lines of code in over 90 files. As you can imagine, testing this patch was somewhat time-consuming, but we hope the result is a more robust and secure Joomla!.
Among the files affected were virtually all of the override files for the Beez and JA_Purity templates. This includes, for example, files like "templates/beez/html/com_content/category/blog_item.php". If you follow the recommended best-practices, you would not directly modify these files and use them. Instead, you might make a copy of the Beez template, for example, and then modify the override files in the new template.
If you have followed this recommendation, then none of your override files will be directly affected by this upgrade. However, you should review the changes we made to the core layouts and make similar changes to your override files.
However, if you have modified any of the override files in the "templates/beez/html" or "templates/ja_purity/html" folders, these files will most likely be overwritten during the version upgrade. So, you will want to back up these files before installing the upgrade and then restore them afterward. After you restore your modified files, you may want to review the changes we made in the core files and add them to your modified files. Better yet, why not make a copy of the core template (for example, "my_beez") and use the copy in your site. That way, you won't have to worry about this situation in the future.
Version 1.5.11 contains several other low-level security fixes as well as a number of useful bug fixes. Since version 1.5 is now very stable, these fixes are generally more subtle than perhaps some of the fixes in earlier releases. Nevertheless, I encourage you to upgrade to the best Joomla! version yet.
2009-06-03 06:29:07
2009-06-03 08:21:56
2009-06-03 08:23:59
2009-06-03 10:10:08
2009-06-03 10:12:22
2009-06-03 10:14:18
2009-06-03 10:15:06
2009-06-03 13:39:42
I think you will find that HTML entities are classified as an encoding not as a form of escaping. Escaping refers to the use of a prefix to modify the proceeding character (or characters? not sure about that). For example in a SQL query we escape values, e.g. 'fred\'s best bicycle'
At least I think that's right
2009-06-03 14:08:23
2009-06-03 17:17:42
2009-06-04 13:27:25
For those of us who typically build templates from scratch rather than building off the core template set, are there best practices we need to be aware of now?
2009-06-13 13:47:29
I would like to ask the core developers why the author, title, and many other fields are escaped even when the article text is not? And why escaping can't be done for example after DB select, to allow extentions developers to change output without template changes?
2009-07-24 03:19:12