XSS in AJAX blueprint title updating
Bug #741667 reported by
William Grant
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Critical
|
Unassigned |
Bug Description
specification-
Y.on('lp:context:title:changed', function(e) {
// change the window title and breadcrumb.
update_field sets innerHTML without any escaping. So I can change the title to something malicious while you have the page open, and your next AJAX change will XSS you.
This is possibly a duplicate of bug #740096.
Changed in launchpad: | |
status: | Triaged → Fix Released |
milestone: | none → 11.04 |
visibility: | private → public |
To post a comment you must log in.