Issue 2550684: Properly escape username in history display. (with patch) - Roundup tracker

classification

Title:	Properly escape username in history display. (with patch)
Type:	security	Severity:	urgent
Components:	Web interface	Versions:	devel, 1.4

process

Status:	closed	Resolution:	accepted
Dependencies		Superseder:
Assigned To:	schlatterbeck	Nosy List:	ThomasAH, schlatterbeck
Priority:		Keywords:	patch

Created on 2010-11-19 13:23 by ThomasAH, last changed 2012-10-10 14:23 by admin.

Files
File name	Uploaded	Description	Edit	Remove
history-user-escape.patch	ThomasAH, 2010-11-19 13:23

Messages
msg4210	Author: [hidden] (ThomasAH)	Date: 2010-11-19 13:23
If you have a user with HTML code in the username, the history of e.g. issues or user details included the unescaped HTML code. A patch to fix this problem is attached. I tested with a username ending with: <a href="http://www.example.com">foo</a> which generated a clickable link in the history.
msg4467	Author: [hidden] (schlatterbeck)	Date: 2012-01-05 15:01
Fixed in Git 336bb3f Thanks for the patch!

History
Date	User	Action	Args
2012-01-05 15:01:43	schlatterbeck	set	status: new -> closed assignee: schlatterbeck resolution: accepted messages: + msg4467 nosy: + schlatterbeck
2010-11-19 13:23:29	ThomasAH	create