|Submitted||1 May 2013|
We discovered an exploitable XSS issue logged against 2.6.1: https://github.com/ushahidi/Ushahidi_Web/issues/1009.
As always, we highly recommend an update to our latest version of the software, which covers these issues.
- Download and unzip (patch file), attached to this alert
- Upload and replace your current files in the folders that correspond to those in the patch
- Update your config.php with new config settings: https://wiki.ushahidi.com/display/WIKI/Migrating+to+Ushahidi+2.7#MigratingtoUshahidi2.7-xss-config-settings
If you have a custom theme, update your theme to use new helper functions:
html::escape($input) - Escape HTML entities. Use this to replace calls to htmlentities()
html::strip_tags($input, $escape = TRUE) - strip all tags. Optionally escapes HTML entities too. Replace any use of strip_tags() with this function
html::clean($input) - Limit HTML tags to only whitelisted elements. Use this on an user submitted data ie report description/title/etc
You can see all the changes made to the default theme here: https://gist.github.com/rjmackay/5448126