Does not escape HTML for user name.
|Reported by:||uchida_t@…||Owned by:||uchida_t@…|
- Enter the user name ([Preferences] - [General] - [Full name]) to <script>alert(1)</script>.
- If autocompleted, alert.
This can use to XSS attack.
Change History (9)
Changed 2 months ago by uchida_t@…
comment:4 Changed 7 weeks ago by rjollos
- Summary changed from Do not escape HTML for user name. to Does not escape HTML for user name.
comment:6 Changed 7 weeks ago by rjollos
- Resolution set to fixed
- Status changed from accepted to closed
Note: See TracTickets for help on using tickets.