URL fields should be restricted to URLs
Bug #522460 reported by
William Grant
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| IVLE |
Fix Released
|
High
|
William Grant | ||
Bug Description
We have a few URL fields in the database. Ensure that they are restricted to valid, non-malicious (eg. protocol is not javascript:) strings at both the DB and form validation layers.
- offering.url
- project.url
Related branches
Revision history for this message
| William Grant (wgrant) wrote | #1 |
| Changed in ivle: | |
| status: | Triaged → In Progress |
Revision history for this message
| William Grant (wgrant) wrote | #2 |
| Changed in ivle: | |
| status: | In Progress → Fix Committed |
| Changed in ivle: | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
Neither has been set in production. Both are enforced at the form layer. It's a bit difficult to enforce at the DB layer, so we won't do that for now.