Message5059
On Wed, Apr 02, 2014 at 06:59:01AM +0000, Pradip Caulagi wrote:
>
> Pradip Caulagi added the comment:
>
> I am a little lost here. It looks like the url is properly escaped.
> This is the url I see when I add an issue -
>
> http://localhost:8917/demo/issue1?
> @ok_message=msg%201%20created%0Aissue%201%20created&@template=item
>
> Is this xss? Are we saying that the ok_message should be plain text?
> The URL remains same, irrespective of the template we use.
No this per-se isn't xss. If you insert html into the url, e.g.
...
@ok_message=msg%201%20<i>created</i>%0Aissue%201%20created&@template=item
The <i> and </i> should be escaped, the message should *not* appear in
italics. This -- at least my test say -- is handled correctly.
But the demo tracker seems to show funny messages which the 'classic'
tracker displays properly. The example above (with the escaped html
markup in my example) shows two messages in green on the classic
tracker:
msg 1 <i>created</i>
issue 1 created
Plus the
clear this message
link.
So my attempt here was to try to find out why this is failing for some
people.
Ralf
--
Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16
Open Source Consulting www: http://www.runtux.com
Reichergasse 131, A-3411 Weidling email: office@runtux.com
allmenda.com member email: rsc@allmenda.com |
|
Date |
User |
Action |
Args |
2014-04-02 15:10:42 | schlatterbeck | set | recipients:
+ schlatterbeck, ber, pcaulagi |
2014-04-02 15:10:42 | schlatterbeck | link | issue2550814 messages |
2014-04-02 15:10:42 | schlatterbeck | create | |
|