Minor Plone Security Fixes

The Plone Security Team has released new versions of several packages. These new versions remedy several security-related issues, none of which were significant enough to warrant a full security hot fix.

Please see the full news item

Can we please have ticket numbers and/or commit ids for these security fixes? I'd like to audit Ploneintranet for e.g. the Select2 XSS without having to wade through the full Products.CMFPlone commit history.

2 Likes

I was reviewing these commits yesterday and found most of the time the issue was caused by simple operations that could be considered harmless sometimes time, like using the structure directive while rendering the value of a field on a template.

do you have a good checklist of things to avoid while writing add-ons?

also, what tool do you recommend for this kind of audits?

thank you for maintaining Plone as the most secure Open Source CMS of the known universe!

For a big customer I worked with was usual to perform automated testing about filling forms with SQL injections patterns (the tool was platform indipendent) and XSS attack.
In that way we found and reported some issues on Plone add-ons.

Unluckily I don't remember which tool he was using, but I think that trying to fill forms with XSS patten instead of "lorem ipsum" may help. If an add-on use roboframework testing this may be also easy.

For one, don't use structure. Use chameleon's Markup helper.
Whenever you'll use the template, it will always escape passed in data, except for when you explicitly mark as string as Markup.

from chameleon.utils import Markup
class MyView(BrowserView):
    blink_for_me = Markup('<blink>Tada!</blink>')

http://glicksoftware.com/blog/chameleon-tricks

1 Like

@hvelarde I've added a PR to the plone docs for some info to help out developers: https://github.com/plone/documentation/pull/661

1 Like