XUL-client "stop sign page" does not HTML-escape user-supplied values
Bug #1446816 reported by
Jason Etheridge
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Evergreen |
Fix Released
|
Medium
|
Unassigned | ||
| 2.6 |
Fix Released
|
Medium
|
Unassigned | ||
| 2.7 |
Fix Released
|
Medium
|
Unassigned | ||
| 2.8 |
Fix Released
|
Medium
|
Unassigned | ||
Bug Description
So, for example, if you give a user an alert message or a standing penalty with a note containing: hello <a href="http://
And you go to the Other -> Display Alerts and Messages (aka Stop Sign Page), you'll see:
hello google world
Clicking on google will load http://
This does not happen in the web-based staff client. I've included a quick patch; it may be better to use encodeURI or something, but this seems less messy visually.
Revision history for this message
| Jason Etheridge (phasefx) wrote | #1 |
| tags: | added: pullrequest |
Revision history for this message
| Ben Shum (bshum) wrote | #2 |
| Changed in evergreen: | |
| importance: | Undecided → Medium |
| status: | New → Triaged |
Revision history for this message
| Bill Erickson (berick) wrote | #3 |
Revision history for this message
| Bill Erickson (berick) wrote | #4 |
Revision history for this message
| Ben Shum (bshum) wrote | #5 |
| Changed in evergreen: | |
| status: | Triaged → Fix Committed |
| information type: | Private Security → Public Security |
| Changed in evergreen: | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
Assigning initial targets for pushing this through. Because this is a security fix, we may also wish to see this backported to rel_2_6 and a rel_2_6 security release made.
The change is simple enough, but good practice for including in a security dance. Reminder here to push this to the relevant branches prior to the next round of cuts.