Ticket #491 (closed defect: fixed)

Opened 14 months ago

Last modified 14 months ago

Edit Feed page doesn't escape title and description correctly (possible XSS?)

Reported by: reporter Owned by: mbonetti
Priority: normal Milestone:
Component: BUGS Version:
Severity: normal Keywords:
Cc:

Description

The edit feed page fails to escape the title and description of the feed. In particular, "<input type=\"text\" id=\"c_descr\" name=\"c_descr\" value=\"$descr\" /></p>\n" fails to escape double quotes in $descr. Since the title and description are taken from the feed and double quotes are not stripped from either, this would appear to be an XSS security hole.

(Even if this didn't have nasty security implications, it would still be annoying because it means that the Edit Feed page cuts off feed titles and descriptions containing double quotes prematurely.)

Change History

Changed 14 months ago by mbonetti

  • status changed from new to closed
  • resolution set to fixed

in [1748]

Changed 14 months ago by mbonetti

I frankly doubt this one could be exploited, because both the title and the description are escaped (and tag-stripped) when the feed is being subscribed in the first place.

Still, thanks for the heads-up: we're always interested in security improvements.

Note: See TracTickets for help on using tickets.