[JC-1706] XSS in adding external link dialog - JTalks JIRA

Voters

Watchers

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 2.3 Larks
Fix Version/s: 2.4 Larks
Labels:
- xss

Sprint:
2.4 Larks

Description

Steps to reproduce
1. Log in with permissions to edit external links.
2. Go to external links editor
3. Press "Add" button
4. Fill all fields with

<script>alert("Ha")<script>

5. Press "Save" button
IMPORTANT!!
do not close external link popup window unless you have DB access
6. Open JCommune main page in new tab.

Actual result

Window with link editor isn't closed
Layout is broken (see screenshot)
If user adds one more link - there is link with "data-original-title" title in link list.

Expected result
URL should be escaped when the page is rendered so that its symbols are not considered as special.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

Layout is broken.jpg
189 kB
04/Dec/13 12:38 AM

Issue Links

relates to

JC-1667 Refactor External Links dialog to create Title, Hint, Href inputs

Closed

Structure

Activity

People

Assignee:

Artem R

Reporter:

Artem R

Votes:

1 Vote for this issue

Watchers:

6 Start watching this issue

Dates

Created:

04/Dec/13 12:38 AM

Updated:

22/Dec/13 1:44 PM

Resolved:

19/Dec/13 1:06 AM

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

Details

Description

Attachments

Attachments

Issue Links

Structure

Activity

People

Dates

Time Tracking

Structure Helper Panel