Modify ↓
#11759 closed defect (fixed)
Does not escape HTML for user name.
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Component: | AutocompleteUsersPlugin |
| Severity: | normal | Keywords: | |
| Cc: | Steffen Hoffmann | Trac Release: |
Description
- Enter the user name ([Preferences] - [General] - [Full name]) to
<script>alert(1)</script>. - If autocompleted, alert.
This can use to XSS attack.
Attachments (1)
Change History (10)
Changed 10 years ago by
| Attachment: | autocompleteusersplugin.patch added |
|---|
comment:1 Changed 10 years ago by
comment:2 Changed 10 years ago by
| Status: | new → accepted |
|---|
comment:3 Changed 10 years ago by
As far as I can tell we don't need the change to autocompleteusers/htdocs/js/autocomplete.js in autocompleteusersplugin.patch. The change to autocompleteusers/htdocs/js/format_item.js fixes the issue reported in comment:description. Please let me know if any issues can be reproduced after the forthcoming change.
comment:4 Changed 10 years ago by
| Summary: | Do not escape HTML for user name. → Does not escape HTML for user name. |
|---|
comment:6 Changed 10 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | accepted → closed |
comment:7 Changed 10 years ago by
| Cc: | Steffen Hoffmann added; anonymous removed |
|---|---|
| Owner: | changed from Ryan J Ollos to uchida_t@… |
Note: See
TracTickets for help on using
tickets.
It works for our trac-1.0.2dev.