Inline editor does not escape input before rendering.
Bug #337198 reported by
Jeroen T. Vermeulen
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Jeroen T. Vermeulen |
Bug Description
I can inject HTML into my own view of a page (though not someone else's) by inline-editing a bug title. After saving, the editing widget displays its text directly as HTML. The text that goes to the server is of course safe, since it's HTML-escaped by the view before rendering.
Reporting this as a security risk because it could conceivably be used to trick privileged users into editing and saving a bug title with an injection still in it.
Changed in launchpad: | |
assignee: | nobody → jtv |
importance: | Undecided → High |
milestone: | none → 2.2.3 |
status: | New → In Progress |
Changed in launchpad: | |
milestone: | 2.2.3 → none |
Changed in launchpad-foundations: | |
milestone: | none → 2.2.3 |
visibility: | private → public |
To post a comment you must log in.
I'm going crazy. My reviewer last night (hi cprov) pointed out that he could not reproduce the problem on RF, though today I find that I can on staging and edge (both r7936).