Subscriber AJAX widget vulnerable to script injection
Bug #394032 reported by
Gavin Panella
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
LAZR Javascript Library |
Fix Released
|
High
|
Gavin Panella | ||
Launchpad itself |
Fix Released
|
High
|
Gavin Panella |
Bug Description
To reproduce:
1. Run launchpad.dev.
2. Log in as Foo Bar (name16).
3. Change display name to "Foo Bar <script>
4. Log in as Sample Person (name12).
5. Visit bug 1.
6. Subscribe someone else: name16.
7. Foo
Changed in malone: | |
assignee: | nobody → Gavin Panella (allenap) |
importance: | Undecided → High |
milestone: | none → 2.2.7 |
status: | New → In Progress |
Changed in lazr-js: | |
assignee: | nobody → Gavin Panella (allenap) |
status: | Triaged → In Progress |
Changed in lazr-js: | |
status: | In Progress → Fix Committed |
Changed in malone: | |
status: | Fix Committed → Fix Released |
visibility: | private → public |
To post a comment you must log in.
Looks like the value for LP.client. cache[' bug'] is not escaped
properly either because I can see JSON at the bottom of the page.