Autocompletion is now done by jQuery, see bug 1159589. This introduces a new XSS vulnerability when one user realname contains stuff such as <script>alert(3);</script>.

Comment on attachment 8603919 [details] [diff] [review] 1163393_1.patch Why don't you use encodeURIComponent() as already used in js/comment-tagging.js or in template/en/default/reports/report-table.html.tmpl? I suppose this isn't or won't be the single place where you will have to escape data.

(In reply to Frédéric Buclin from comment #2) > Why don't you use encodeURIComponent() that's uri encoding, not html. you probably mean YAHOO.lang.escapeHTML. oddly enough jquery doesn't have a built in equivalent, you either do .replace or create a dom element, set the text content, then grab it back as html. i chose to follow devBridgeAutocomplete's lead when its default formatter: https://github.com/devbridge/jQuery-Autocomplete/blob/master/src/jquery.autocomplete.js#L130 > I suppose this isn't or won't be the single place where you will have to escape data. it's the only place right now. we can refactor later if required.

Comment on attachment 8603919 [details] [diff] [review] 1163393_1.patch Review of attachment 8603919 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git bd41649..7f3cc64 master -> master