User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Steps to reproduce: Hi, there's a xss vulnerability in bugzilla tag field that allows attackers to do phishing attacks. Reproduce: 1. While logged on landfill , go to https://landfill.bugzilla.org/bugzilla-tip/show_bug.cgi?id=23120. 2. Click in on tag field. 3. after put "<iframe/onload=alert(1)>" in the text field. 4. Press enter 5. See the xss Cheers, Mario

The tag is rejected by Bugzilla and so you can only affect yourself.

Note that ideally, the invalid tag shouldn't be displayed in the tags list at all. The validation should occur first, and the tag be added to the list next, only if no error has been thrown.

Comment on attachment 8357462 [details] [diff] [review] patch, v1 r=glob (In reply to Frédéric Buclin from comment #4) > Note that ideally, the invalid tag shouldn't be displayed in the tags list > at all. The validation should occur first, and the tag be added to the list > next, only if no error has been thrown. while this is correct from a purely technical perspective, i disagree that this is the ideal situation from a responsiveness point of view.

(In reply to Byron Jones ‹:glob› (unavailable until Jan 12th) from comment #5) > while this is correct from a purely technical perspective, i disagree that > this is the ideal situation from a responsiveness point of view. It wouldn't be too hard to put the regexp in the JS code too. It's a simple one.

Since we don't have any releases that contain this yet, okay to commit without waiting.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/ modified js/comment-tagging.js Committed revision 8859.