Feeds url doesn't proper escape HTML in display name
Bug #183297 reported by
Diogo Matsubara
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Critical
|
Edwin Grubbs |
Bug Description
1. Open http://
2. Change the display name to: foo"</>
3. Click Change
What happens: A javascript alert appears.
What should happen:
<link rel="alternate" type="applicati
<link rel="alternate" type="applicati
Should be properly escaped.
Changed in launchpad: | |
assignee: | nobody → edwin-grubbs |
milestone: | none → 1.2.1 |
status: | New → Confirmed |
Changed in launchpad: | |
importance: | Undecided → Critical |
Changed in launchpad: | |
status: | Confirmed → Fix Committed |
visibility: | private → public |
To post a comment you must log in.
Fixed in mainline r5517