|
|
@@ -730,7 +730,24 @@ note. Do not delete entries — they're history.
|
|
|
|
|
|
### R01-N21 — Trusted Twig auto-escape is the only XSS guard
|
|
|
- **Severity**: MEDIUM (audit recommendation).
|
|
|
-- **Status**: open.
|
|
|
+- **Status**: fixed-in-`00bcf73` — went with the audit's two-test
|
|
|
+ recommendation. New `tests/Http/TwigAutoescapeTest.php` (3 cases,
|
|
|
+ 23 assertions). *Behaviour pin:* renders a known XSS payload
|
|
|
+ through a synthetic Twig template using the same `View` env the
|
|
|
+ controllers use and asserts `<script>` does NOT survive the
|
|
|
+ render (`<script>` does), so a future flip of `View`'s
|
|
|
+ `autoescape` setting from `'html'` to anything else fails loudly.
|
|
|
+ A second case pins attribute-context double-quote escaping
|
|
|
+ (`title="…"` → `"`). *Static guard:* walks every `.twig`
|
|
|
+ file under `views/` and fails if any line carries
|
|
|
+ `|\s*(raw|safe)` or `{%\s*autoescape`. Verified end-to-end by
|
|
|
+ temporarily appending `{{ "x"|raw }}` to `home.twig` — the test
|
|
|
+ reported the exact `path:line` of the offence with a remediation
|
|
|
+ hint. No production code changed; the guards live entirely in
|
|
|
+ the test suite. Today's scan: 0 offences across all `.twig`
|
|
|
+ files. Tests: 305 / 814 (was 302 / 791). The audit's optional
|
|
|
+ CI grep step is subsumed by this PHPUnit case (we already run
|
|
|
+ the suite on every change), so no separate grep stanza needed.
|
|
|
- **Where**: `src/Http/View.php` line 30 (`autoescape => 'html'`); various
|
|
|
views.
|
|
|
- **What**: All user-supplied strings (sprint name, task title, task
|
|
|
@@ -990,7 +1007,9 @@ A reasonable cadence (do not treat as binding):
|
|
|
`f59f368`.
|
|
|
19. ~~**R01-N20** (Response::redirect contract)~~ — fixed in
|
|
|
`f1aa924`.
|
|
|
-20. The rest as time permits.
|
|
|
+20. ~~**R01-N21** (Twig autoescape pin + static |raw guard)~~ —
|
|
|
+ fixed in `00bcf73`.
|
|
|
+21. The rest as time permits.
|
|
|
|
|
|
Each fix should ship as its own commit per SPEC.md §14, with a follow-up
|
|
|
SPEC update if behaviour or config surface changes.
|
chiappa