Task #9856 (closed)
Opened 7 years ago
Closed 4 years ago
BUG: description field is not escaped properly during editting
| Reported by: | spli | Owned by: | web-team@… |
|---|---|---|---|
| Priority: | major | Milestone: | Unscheduled |
| Component: | Web | Version: | 5.1.2 |
| Keywords: | n.a. | Cc: | |
| Resources: | n.a. | Referenced By: | n.a. |
| References: | n.a. | Remaining Time: | n.a. |
| Sprint: | n.a. |
Description
Click on the pen icon to edit the description field of a project/dataset/image. Enter the following:
<script>alert('hello')</script>
Click save... the webpage says hello.
Change History (4)
comment:1 Changed 7 years ago by jmoore
- Priority changed from minor to major
comment:2 Changed 7 years ago by pwalczysko
Cannot find the ticket mentioned by jmoore. This issue is still persisting.
Also, when in IE8 and putting in the <script> string, after pressing "Save" the Save button gets grey and does not perform the action.
See screenshot.
comment:3 Changed 7 years ago by jmoore
#8780 from Blazej.
comment:4 Changed 4 years ago by jburel
- Resolution set to fixed
- Status changed from new to closed
- Version set to 5.1.2
tested on Chrome, Safari, Firefox, IE
no problem noticed.
Note: See
TracTickets for help on using
tickets.
You may also have a look at Agilo extensions to the ticket.
wmoore: there was definitely already a ticket for this. Do you know what the status should have been? simon: when it comes to sec. issues, do bring it up in devteam first.