Closed
Bug 1163393
Opened 9 years ago
Closed 9 years ago
XSS in the new jQuery autocomplete code
Categories
(Bugzilla :: Bugzilla-General, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 6.0
People
(Reporter: LpSolit, Assigned: glob)
References
Details
(Keywords: regression)
Attachments
(1 file)
(deleted),
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
Autocompletion is now done by jQuery, see bug 1159589. This introduces a new XSS vulnerability when one user realname contains stuff such as <script>alert(3);</script>.
Attachment #8603919 -
Flags: review?(dkl)
Reporter | ||
Comment 2•9 years ago
|
||
Comment on attachment 8603919 [details] [diff] [review]
1163393_1.patch
Why don't you use encodeURIComponent() as already used in js/comment-tagging.js or in template/en/default/reports/report-table.html.tmpl? I suppose this isn't or won't be the single place where you will have to escape data.
(In reply to Frédéric Buclin from comment #2)
> Why don't you use encodeURIComponent()
that's uri encoding, not html. you probably mean YAHOO.lang.escapeHTML.
oddly enough jquery doesn't have a built in equivalent, you either do .replace or create a dom element, set the text content, then grab it back as html.
i chose to follow devBridgeAutocomplete's lead when its default formatter: https://github.com/devbridge/jQuery-Autocomplete/blob/master/src/jquery.autocomplete.js#L130
> I suppose this isn't or won't be the single place where you will have to escape data.
it's the only place right now. we can refactor later if required.
Comment 4•9 years ago
|
||
Comment on attachment 8603919 [details] [diff] [review]
1163393_1.patch
Review of attachment 8603919 [details] [diff] [review]:
-----------------------------------------------------------------
r=dkl
Attachment #8603919 -
Flags: review?(dkl) → review+
Updated•9 years ago
|
Flags: approval?
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
bd41649..7f3cc64 master -> master
Group: bugzilla-security
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: approval? → approval+
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•