security(critical): XSS in offline.php - unescaped button URL #31
Open
opened 2026-05-23 23:06:17 +00:00 by jmiller
·
0 comments
Labels
Clear labels
automation
breaking-change
bug
build
ci-cd
config
css
dependencies
deploy-failure
docker
documentation
dolibarr
duplicate
enhancement
generic
good first issue
health-check
health: excellent
health: fair
health: good
health: poor
help wanted
html
invalid
javascript
joomla
major-release
minor-release
mokostandards
needs-review
needs-testing
patch-release
php
priority: critical
priority: high
priority: low
priority: medium
push-failure
python
question
regression
release-candidate
security
size/l
size/m
size/s
size/xl
size/xs
size/xxl
standards-drift
standards-update
standards-violation
status: blocked
status: in-progress
status: needs-review
status: on-hold
status: pending
status: wontfix
sync-failure
sync-report
template-validation-failure
test-failure
tests
type: bug
type: chore
type: enhancement
type: feature
type: refactor
type: release
type: test
type: version
typescript
version
version-branch
version-drift
wontfix
work-in-progress
bug
chore
documentation
enhancement
feature
pending: dependency
pending: deployment
pending: design
pending: documentation
pending: feedback
pending: review
pending: testing
priority: critical
priority: high
priority: low
priority: medium
refactor
roadmap
scope: client
scope: dolibarr
scope: infrastructure
scope: joomla
scope: waas
security
status: blocked
status: duplicate
status: in-progress
status: needs-review
status: wontfix
Automated processes or scripts
Breaking API or functionality change
Something isn't working
Build system changes
CI/CD pipeline changes
Configuration file changes
CSS/styling changes
Dependency updates
Automated deploy failure tracking
Docker configuration changes
Documentation changes
Dolibarr module or extension
This issue or pull request already exists
New feature or request
Generic project or library
Good for newcomers
Repository health check results
Health score 90-100
Health score 50-69
Health score 70-89
Health score below 50
Extra attention is needed
HTML template changes
This doesn't seem right
JavaScript code changes
Joomla extension or component
Major version release (breaking changes)
Minor version release (XX.YY.00)
MokoStandards compliance
Awaiting code review
Requires manual or automated testing
Patch version release (XX.YY.ZZ)
PHP code changes
Critical priority, must be addressed immediately
High priority
Low priority
Medium priority
File push failure requiring attention
Python code changes
Further information is requested
Regression from a previous working state
Release candidate build
Security-related changes
Large change (101-300 lines)
Medium change (31-100 lines)
Small change (11-30 lines)
Extra large change (301-1000 lines)
Extra small change (1-10 lines)
Extremely large change (1000+ lines)
Repository drifted from MokoStandards
MokoStandards sync update
Standards compliance failure
Blocked by another issue or dependency
Currently being worked on
Awaiting code review
Temporarily on hold
Pending action or decision
This will not be worked on
Bulk sync failure requiring attention
Bulk sync run report
Template workflow validation failure
Automated test failure
Test suite changes
Something isn't working
Maintenance tasks
Enhancement to existing feature
New feature or request
Code refactoring
Release preparation or tracking
Test suite additions or changes
Version-related change
TypeScript code changes
Version bump or release
Version branch related
Version mismatch detected
This will not be worked on
Work in progress, not ready for merge
Something is not working
Maintenance and housekeeping
Documentation improvements
Improvement to existing functionality
New feature or request
Blocked by another issue or external dependency
Tested and approved, awaiting deployment to production
Needs UI/UX or architecture design before implementation
Feature works, needs documentation/wiki update
Awaiting feedback or decision from stakeholder
Implementation complete, awaiting code review
Feature implemented but not yet tested
Must fix immediately
Should fix soon
Nice to have
Fix when convenient
Code restructuring without behavior change
Planned feature or enhancement tracked on the roadmap
Client-specific work
Dolibarr modules and customizations
Server, CI, backups, monitoring
Joomla templates and extensions
MokoWaaS platform
Security vulnerability or hardening
Waiting on external dependency
Duplicate of another issue
Being worked on
Ready for review
Will not be addressed
No labels
Milestone
No items
No Milestone
Assignees
jmiller (Jonathan Miller)
Clear assignees
jmiller (Jonathan Miller)
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: MokoConsulting/MokoJoomHero#31
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
offline.php line 124 outputs $button[url] directly into an href attribute without htmlspecialchars(). A malicious auth plugin could inject a javascript: URI. The label on the next line IS escaped, making this an oversight.