Modify ↓
#11759 closed defect (fixed)
Does not escape HTML for user name.
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | normal | Component: | AutocompleteUsersPlugin |
Severity: | normal | Keywords: | |
Cc: | Steffen Hoffmann | Trac Release: |
Description
- Enter the user name ([Preferences] - [General] - [Full name]) to
<script>alert(1)</script>
. - If autocompleted, alert.
This can use to XSS attack.
Attachments (1)
Change History (10)
Changed 10 years ago by
Attachment: | autocompleteusersplugin.patch added |
---|
comment:1 Changed 10 years ago by
comment:2 Changed 10 years ago by
Status: | new → accepted |
---|
comment:3 Changed 10 years ago by
As far as I can tell we don't need the change to autocompleteusers/htdocs/js/autocomplete.js
in autocompleteusersplugin.patch. The change to autocompleteusers/htdocs/js/format_item.js
fixes the issue reported in comment:description. Please let me know if any issues can be reproduced after the forthcoming change.
comment:4 Changed 10 years ago by
Summary: | Do not escape HTML for user name. → Does not escape HTML for user name. |
---|
comment:6 Changed 10 years ago by
Resolution: | → fixed |
---|---|
Status: | accepted → closed |
comment:7 Changed 10 years ago by
Cc: | Steffen Hoffmann added; anonymous removed |
---|---|
Owner: | changed from Ryan J Ollos to uchida_t@… |
Note: See
TracTickets for help on using
tickets.
It works for our trac-1.0.2dev.