Inline editor does not escape input before rendering.
Bug #337198 reported by
Jeroen T. Vermeulen
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Fix Released
|
High
|
Jeroen T. Vermeulen | ||
Bug Description
I can inject HTML into my own view of a page (though not someone else's) by inline-editing a bug title. After saving, the editing widget displays its text directly as HTML. The text that goes to the server is of course safe, since it's HTML-escaped by the view before rendering.
Reporting this as a security risk because it could conceivably be used to trick privileged users into editing and saving a bug title with an injection still in it.
| Changed in launchpad: | |
| assignee: | nobody → jtv |
| importance: | Undecided → High |
| milestone: | none → 2.2.3 |
| status: | New → In Progress |
| Changed in launchpad: | |
| milestone: | 2.2.3 → none |
| Changed in launchpad-foundations: | |
| milestone: | none → 2.2.3 |
Revision history for this message
| Jeroen T. Vermeulen (jtv) wrote | #1 |
Revision history for this message
| Jeroen T. Vermeulen (jtv) wrote | #2 |
| Changed in launchpad-foundations: | |
| status: | In Progress → Fix Released |
| visibility: | private → public |
To post a comment you must log in.
I'm going crazy. My reviewer last night (hi cprov) pointed out that he could not reproduce the problem on RF, though today I find that I can on staging and edge (both r7936).