Apache Allura™

Forge software for hosting software projects

Brought to you by: alexluberg, brondsem, deshani, dill0wn, and 10 others

#7931 Tool install dialog needs to escape html/js

Milestone: v1.4.0

Status: closed

Owner: nobody

Labels: None

Component: General

Reviewer: nobody

Updated: 2016-03-17

Created: 2015-07-15

Creator: Dave Brondsema

Private: No

If you go to install a tool and enter "/><img src=x onerror=prompt(/XSS-test/)> as the "Url Path" it will execute that JS when previewing the URL. We should escape this. Not a security risk since it only executes local to the current user (not a way to make a "victim" run this JS)

Discussion

Dave Brondsema - 2016-03-17

status: open --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2016-03-17

Fixed as part of [#7919]

Related

Tickets: ~~#7919~~

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2016-04-11

Milestone: unreleased --> v1.4.0
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Apache Allura™

Forge software for hosting software projects

Milestone

Searches

Help

#7931 Tool install dialog needs to escape html/js

Discussion

Related