Does not escape HTML for user name.
|Reported by:||uchida_t@…||Owned by:||uchida_t@…|
- Enter the user name ([Preferences] - [General] - [Full name]) to <script>alert(1)</script>.
- If autocompleted, alert.
This can use to XSS attack.
Change History (10)
Changed 2 years ago by uchida_t@…
comment:4 Changed 2 years ago by rjollos
- Summary changed from Do not escape HTML for user name. to Does not escape HTML for user name.
comment:6 Changed 2 years ago by rjollos
- Resolution set to fixed
- Status changed from accepted to closed
comment:7 Changed 2 years ago by rjollos
- Cc hasienda added; anonymous removed
- Owner changed from rjollos to uchida_t@…
Note: See TracTickets for help on using tickets.