[JC-1466] XSS vulnerability while editing contacts - JTalks JIRA

Voters

Watchers

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 1.7 Larks
Fix Version/s: 1.7 Larks
Labels:
- security
- xss

Sprint:
1.7 Larks

Description

Preconditions
User has permission for edit own profile and logged in.

Steps to reproduce
1. Go to own profile, press button "Edit", press "Add contact"
2. Drag'n'drop (or paste via context menu) from anywhere (for example, from address bar) to "Contact Value" field follow text:

<script>alert('Hacked');</script>

3. Press "Ok"

Actual result
Pop up window with text "Hacked"

Expected result
Error message about wrong contact format

Note
XSS is special case. We can drag'n'drop (or paste via context menu) any invalid value to the textbox.
Drag'n'drop (or paste via context menu) should be validating same as paste via Ctrl+V or direct input

Attachments

Structure

Activity

People

Assignee:

Artem R

Reporter:

Artem R

Votes:

0 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Created:

21/May/13 4:16 PM

Updated:

29/May/13 9:07 PM

Resolved:

26/May/13 11:34 PM