Launchpad itself

Feeds url doesn't proper escape HTML in display name

Bug #183297 reported by Diogo Matsubara
252
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Critical
Edwin Grubbs

Bug Description

1. Open http://launchpad.dev/firefox/+edit
2. Change the display name to: foo"</><script>window.alert("hello")
3. Click Change

What happens: A javascript alert appears.
What should happen:

        <link rel="alternate" type="application/atom+xml" title="Announcements for foo"</><script>window.alert("hello")</script>" href="http://feeds.launchpad.dev/firefox/announcements.atom"/>

        <link rel="alternate" type="application/atom+xml" title="Latest Bugs for foo"</><script>window.alert("hello")</script>" href="http://feeds.launchpad.dev/firefox/latest-bugs.atom"/>

Should be properly escaped.

Edwin Grubbs (edwin-grubbs)
Changed in launchpad:
assignee: nobody → edwin-grubbs
milestone: none → 1.2.1
status: New → Confirmed
Diogo Matsubara (matsubara)
Changed in launchpad:
importance: Undecided → Critical
Edwin Grubbs (edwin-grubbs)
Changed in launchpad:
status: Confirmed → Fix Committed
Revision history for this message
Diogo Matsubara (matsubara) wrote :

Fixed in mainline r5517

Revision history for this message
Edwin Grubbs (edwin-grubbs) wrote :

cherry picked

Changed in launchpad:
status: Fix Committed → Fix Released
William Grant (wgrant)
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.