Closed
Bug 41906
Opened 24 years ago
Closed 24 years ago
Don't allow HTML in quips
Categories
(Bugzilla :: Bugzilla-General, defect, P3)
Bugzilla
Bugzilla-General
Tracking
()
VERIFIED
FIXED
Bugzilla 2.12
People
(Reporter: BenB, Assigned: Chris.Yeh)
References
Details
(Whiteboard: 2.12)
The bug list shows you a short text which can be entered at <http:
//bugzilla.mozilla.org/newquip.html> by anybody. (Is there any option to turn it
off?) It allows HTML, which is sent directly to the bugzilla user.
That's a perfect way to exploit Mozilla security holes.
|
Reporter | |
Comment 3•24 years ago
|
||
(13075 is fixed, but this bug is still there, I think.)
This bug is sitting around much too long. raising severity to critical, because
security relevant. the mozilla.org domain is a testbed for Mozillas (as least, I
use it as such) and *has* to be secure.
Severity: normal → critical
is there some perl code that does this already?
Assignee: tara → cyeh
Whiteboard: 2.12
|
|
Reporter | |
Comment 5•24 years ago
|
||
I have no idea. But you could just escape "<>&" (">" -> > "<" -> "<", "&"
-> "&"), and the HTML code would appear in the page as cleartext, without
being evaluated by the browser.
|
||
Comment 6•24 years ago
|
||
This is a dupe and it's been fixed anyway.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
|
||
Comment 8•24 years ago
|
||
I can still enter &'s...
|
||
Comment 9•24 years ago
|
||
In search of accurate queries.... (sorry for the spam)
Target Milestone: --- → Bugzilla 2.12
|
|
||
Comment 10•23 years ago
|
||
Moving closed bugs to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
|
||
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•