-
Type:
Bug
-
Status: Closed (View Workflow)
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 2.4 Larks
-
Fix Version/s: 2.6 Larks
-
Labels:None
-
Environment:
Firefox 26
-
Sprint:2.6 Larks
Precondition
- open jcommune main page
Test data
- <xml id="X"><a><b><script>document.vulnerable=true;</script>;
Steps to reproduce
- Enter Test data in field Search
- Look at result
Actual result: layout is broken (see. actual_result_XSS)
Expected result: just topic with "<xml id="X"><a><b><script>document.vulnerable=true;</script>;" text is shown
- relates to
-
-
- Closed
-
Julia Atlygina, QA, can you help us? What do you think about this results?
Environment
- qa.jtalks.org/jcommune (2.6 Larks)
Test data
- document.vulnerable=true;
Precondition
- open main page jcommune
Steps to reproduce
- Enter test data in field "Search"
- Click "Enter" on keyboard
- Look at result (you also can click to other page button)
Actual result: layout had been broken (if you click on page button, you'll get error 404)
Expected result: Text that inclued intered characters was found
previous problem seems related to JC-1644, wasn't introduced by the fix
Test Environment
Firefox 27.0, jcommune 2.6.2074.f1b0325
Test Scenario
Preconditions: "Xss Me" firefox plugin should be installed
1. Open "Xss me" plugin and navigate to http://qa.jtalks.org/jcommune/
2. Press "Test all forms with all attacks" (main page contains only one form - search) and wait for finish
Regression tests:
Search function was tested
Test results:
All tests passed
AR=ER
XSS vulnerability is not reproduced. But incorrect topics are shown in search results. I think previous variant in this respect was better.
http://dev.jtalks.org/jcommune/search/?text=%3Cxml+id%3D%22X%22%3E%3Ca%3E%3Cb%3E%3Cscript%3Edocument.vulnerable%3Dtrue