Launchpad itself

XSS in AJAX blueprint title updating

Bug #741667 reported by William Grant on 2011-03-24

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	Fix Released	Critical	Unassigned	Launchpad itself 11.04

Bug Description

specification-index.pt does this:

        Y.on('lp:context:title:changed', function(e) {
            // change the window title and breadcrumb.
            Y.lp.ui.update_field('ol.breadcrumbs li:last-child', e.new_value);

update_field sets innerHTML without any escaping. So I can change the title to something malicious while you have the page open, and your next AJAX change will XSS you.

This is possibly a duplicate of bug #740096.

Tags:

William Grant (wgrant) on 2011-04-07

Changed in launchpad:
status:	Triaged → Fix Released
milestone:	none → 11.04

William Grant (wgrant) on 2012-08-24

visibility:

private → public

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.