Roundup Tracker - Issues

Issue 2550684

classification
Properly escape username in history display. (with patch)
Type: security Severity: urgent
Components: Web interface Versions: devel, 1.4
process
Status: closed accepted
:
: schlatterbeck : ThomasAH, schlatterbeck
Priority: : patch

Created on 2010-11-19 13:23 by ThomasAH, last changed 2012-10-10 14:23 by admin.

Files
File name Uploaded Description Edit Remove
history-user-escape.patch ThomasAH, 2010-11-19 13:23
Messages
msg4210 Author: [hidden] (ThomasAH) Date: 2010-11-19 13:23
If you have a user with HTML code in the username, the history of e.g.
issues or user details included the unescaped HTML code.

A patch to fix this problem is attached.

I tested with a username ending with:
 <a href="http://www.example.com">foo</a>
which generated a clickable link in the history.
msg4467 Author: [hidden] (schlatterbeck) Date: 2012-01-05 15:01
Fixed in Git 336bb3f
Thanks for the patch!
History
Date User Action Args
2012-01-05 15:01:43schlatterbecksetstatus: new -> closed
assignee: schlatterbeck
resolution: accepted
messages: + msg4467
nosy: + schlatterbeck
2010-11-19 13:23:29ThomasAHcreate