Unescaped JSON in LP.client.cache
Bug #739915 reported by
William Grant
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Critical
|
William Grant |
Bug Description
The LP.client.cache JSON in every page on a webservice entry is again unescaped. This allows injection of arbitrary XHTML and JavaScript.
Related branches
lp://qastaging/~wgrant/launchpad/bug-739915
- Robert Collins (community): Approve
-
Diff: 19 lines (+2/-2)1 file modifiedlib/lp/app/templates/base-layout-macros.pt (+2/-2)
visibility: | private → public |
To post a comment you must log in.
Already manually deployed to lpnet/edge/ staging/ qastaging.