1.6.4 security alert for layout override files

From Joomla! Documentation

This Page is a Candidate for Deletion

This page is a candidate for deletion. The given reason is: This page is orphaned and the information is no longer current.

This notice should remain for a minimum of 1 week after it was placed on the page. If discussion is still ongoing, it should remain until a consensus is reached, after which the page will either be deleted or this notice removed. If you disagree with its deletion, please discuss your reasons on its associated talk page, as applicable.

Remember to check if anything links here and the page history before deleting.

Last edit by Jennymac (talk · contrib) · Last edited on Sat, 17 Oct 2020 01:05:17 +0000

In version 1.6.4 a security fix was made to a number of layout files, specifically those for category lists for articles, weblinks, newsfeeds and contacts and the featured contact list. If you are using layout overrides for these you should ensure that you make the same changes are made in your template (if the same issue is present). Overrides are found in the html folder of your template. You may also wish to check layout files for extensions for the same issue since the core layouts are sometimes used as models.

The change made is to replace JfilterOutput::ampReplace with htmlspecialchars. The following files should be changed:

  • components/com_contact/views/category/tmpl/default_items.php
  • components/com_contact/views/featured/tmpl/default_items.php
  • components/com_content/views/category/tmpl/default_articles.php
  • components/com_newsfeeds/views/category/tmpl/default_items.php
  • components/com_weblinks/views/category/tmpl/default_items.php

This change should also be made to the override found in the beez5 template

  • templates/beez5/com_content/category/default_articles.php