Uploaded image for project: 'JCommune'
  1. JCommune
  2. JC-1561

XSS in poll title and poll answers when watching preview

VotersWatchers
    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.9 Larks
    • Fix Version/s: 2.1 Larks
    • Labels:
      None
    • Sprint:
      2.1 Larks

      Description

      Steps to reproduce
      1. User creates new topic, fills title and message content fields with correct text
      2. User creates poll with title

      <script>alert("Hacked poll title")</script>

      and one of poll answer is

      <script>alert("Hacked poll answer")</script>

      3. Press "Preview" button

      Actual result
      User receives two pop up windows with text

      Hacked poll title

      and

      Hacked poll answer

      Poll title and answer are empty

      Expected result
      There is no any additional windows

        Attachments

        1. xss.png
          153 kB
          Andrey Ivanov

          Structure

            Activity

              People

              • Assignee:
                varro Artem R
                Reporter:
                varro Artem R
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 2h
                  2h

                    Structure Helper Panel