XUL-client "stop sign page" does not HTML-escape user-supplied values
Bug #1446816 reported by
Jason Etheridge
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
Medium
|
Unassigned | ||
2.6 |
Fix Released
|
Medium
|
Unassigned | ||
2.7 |
Fix Released
|
Medium
|
Unassigned | ||
2.8 |
Fix Released
|
Medium
|
Unassigned |
Bug Description
So, for example, if you give a user an alert message or a standing penalty with a note containing: hello <a href="http://
And you go to the Other -> Display Alerts and Messages (aka Stop Sign Page), you'll see:
hello google world
Clicking on google will load http://
This does not happen in the web-based staff client. I've included a quick patch; it may be better to use encodeURI or something, but this seems less messy visually.
tags: | added: pullrequest |
information type: | Private Security → Public Security |
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Assigning initial targets for pushing this through. Because this is a security fix, we may also wish to see this backported to rel_2_6 and a rel_2_6 security release made.
The change is simple enough, but good practice for including in a security dance. Reminder here to push this to the relevant branches prior to the next round of cuts.