A users displayname is not URLENCODED when javascript is generated
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Critical
|
Guilherme Salgado |
Bug Description
In the new mapping feature, the user's displayname is used to generate the JavaScript to link to render the map. This throws a javascript error when a user's name has an value that needs to be escaped (i.e O'Brien)
https:/
The error is in canonical/
<script type="text/
This could theoretically be open to XSS security issue.
Changed in launchpad: | |
assignee: | nobody → salgado |
status: | New → Triaged |
Changed in launchpad: | |
importance: | Undecided → Critical |
milestone: | none → 2.1.9 |
status: | Triaged → In Progress |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
visibility: | private → public |
In practice this is not a big deal because the +editlocation page is restricted with launchpad.Edit (which means only the user himself or a LP admin can see it).
Also, it doesn't seem to be exploitable -- having any sort of JS code in a person's display name seems to break the rendering of the widget. Were you able to actually exploit, John?