Check that printing GET parameters in the JS code is secure #5498
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Major
Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Task
Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Milestone
in [source:/trunk/modules/ViewDataTable.php] method`
getJavascriptVariablesToSet()` we load GET parameters values and print them in the javascript code to “forward” the values to the Javascript logic (used in the Jquery code).
Is this safe? We use`
Piwik_Common::getRequestVar()` to sanitize the value but is it safe enough? Or could some hijacking/xss/etc be possible here?
The text was updated successfully, but these errors were encountered: