Bug 3391 - bury title is probably cross site scriptable
: bury title is probably cross site scriptable
Status: RESOLVED FIXED
Product: maemo.org Website
News
: unspecified
: All Windows
: High blocker (vote)
: ---
Assigned To: Niels Breet
: news@maemo.org
: https://maemo.org/news/favorites/bury...
:
:
:
  Show dependency tree
 
Reported: 2008-07-03 22:37 UTC by timeless
Modified: 2008-07-04 16:11 UTC (History)
0 users (show)

See Also:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description timeless (reporter) 2008-07-03 22:37:04 UTC
STEPS TO REPRODUCE THE PROBLEM:
1. write a blog with a title like: '" onmouseover="alert(1)" "'
2. convince someone to use the bury link instead of the ajax link

EXPECTED OUTCOME:
no XSS support in web site.

ACTUAL OUTCOME:
        <input type="text" name="net_nemein_favourite_title" value=""Random
Musings of a Useless Geek" Wordle"/>

REPRODUCIBILITY:
always

EXTRA SOFTWARE INSTALLED:
NoScript

OTHER COMMENTS:

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9)
Gecko/2008052906 Firefox/3.0
Comment 1 Andre Klapper maemo.org 2008-07-04 13:30:47 UTC
Henri, can you take a look at this?
Comment 2 Henri Bergius 2008-07-04 14:03:34 UTC
Eero is looking at this.
Comment 3 eero.afheurlin 2008-07-04 14:18:32 UTC
http://trac.midgard-project.org/changeset/16778 should fix this
Comment 4 eero.afheurlin 2008-07-04 14:25:08 UTC
packaged as http://pear.midcom-project.org/get/net_nemein_favourites-1.1.5.tgz,
not yet installed, assigning to Niels for testing and rollout.
Comment 5 Niels Breet maemo.org 2008-07-04 16:11:33 UTC
Tested on the internal machine and applied the package on maemo.org.