Opened 10 years ago

Last modified 9 years ago

#11999 closed defect

Several messages should be escaped in ticketlog.js — at Version 4

Reported by: Jun Omae Owned by: Jun Omae
Priority: normal Component: TracTicketChangelogPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.12

Description (last modified by Jun Omae)

I found XSS vulnerabilities in ticketlog.js.

I'll post patch for that.

Change History (5)

comment:1 Changed 10 years ago by Ryan J Ollos

Thanks. Please feel free to push changes for this plugin at any time. I made a few attempts to get in touch with richard through tickets some time ago, and then pushed ahead with making changes when there was no reply.

Changed 10 years ago by Jun Omae

Attachment: t11999.diff added

comment:2 Changed 10 years ago by Jun Omae

Owner: changed from Richard Liao to Jun Omae
Status: newaccepted

I just created patch, t11999.diff. I'll commit it later.

Also, I think we should use display_rev() rather than normalize_rev() because raw revision (40 bytes) will be displayed if git and mercurial.

  • tracticketchangelogplugin/1.0/ticketlog/web_ui.py

     
    9494                continue
    9595
    9696            repos = RepositoryManager(self.env).get_repository(repos_name)
    97             rev = repos.normalize_rev(rev)
     97            rev = repos.display_rev(rev)
    9898            link = str(rev)
    9999            if repos_name:
    100100                link += '/%s' % repos_name

comment:3 Changed 10 years ago by Ryan J Ollos

Both patches look good. Should revision.message be escaped on line 52 of the patch?

comment:4 Changed 10 years ago by Jun Omae

Description: modified (diff)

I misunderstood about that. revision.message shouldn't be escaped. Output of format_to_oneliner() is stored on it at tracticketchangelogplugin/0.12/ticketlog/web_ui.py@14192:204#L190.

Note: See TracTickets for help on using tickets.