XSS in recipe build request popup
Bug #740719 reported by
William Grant
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Critical
|
Ian Booth |
Bug Description
The AJAX recipe build request popup doesn't escape series displaynames when it creates disabled checkboxes for already pending builds.
Related branches
lp:~wallyworld/launchpad/recipe-build-popup-xss
- Robert Collins (community): Approve
- William Grant: Approve (code*)
-
Diff: 38 lines (+7/-4)2 files modifiedlib/lp/code/javascript/requestbuild_overlay.js (+5/-2)
lib/lp/code/windmill/tests/test_recipe_request_build.py (+2/-2)
Changed in launchpad: | |
assignee: | nobody → Ian Booth (wallyworld) |
Changed in launchpad: | |
status: | Triaged → In Progress |
tags: |
added: qa-ok removed: qa-needstesting |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
visibility: | private → public |
To post a comment you must log in.
Fixed in stable r12651 <http:// bazaar. launchpad. net/~launchpad- pqm/launchpad/ stable/ revision/ 12651>.