Status: New
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 3274 by [email protected]: xss in autocomplete
http://code.google.com/p/reviewboard/issues/detail?id=3274
*** READ THIS BEFORE POSTING!
***
*** You must complete this form in its entirety, or your bug report will be
rejected.
***
*** For customer support, please post to [email protected]
***
*** If you have a patch, please submit it to
http://reviews.reviewboard.org/
***
*** Do not post confidential information in this bug report!
What version are you running?
2.0 beta 4 (dev)
What's the URL of the page containing the problem?
https://reviews.reviewboard.org/dashboard/
What steps will reproduce the problem?
1. login to reviewboard.
2. enter "uchi" in the search box in the upper right.
3. script error
What is the expected output? What do you see instead?
What operating system are you using? What browser?
Firefox30
Please provide any additional information below.
This is XSS vulnerabilities. It be caused by ui.autocomplete be output
without html escape.
It will fix by this patch. (Sorry, I did not understand how to submit patch
for reviewboard)
Index: reviewboard/htdocs/media/rb/js/ui.autocomplete.js
===================================================================
diff --git a/trunk/reviewboard/htdocs/media/rb/js/ui.autocomplete.js
b/trunk/reviewboard/htdocs/media/rb/js/ui.autocomplete.js
--- a/trunk/reviewboard/htdocs/media/rb/js/ui.autocomplete.js (revision
2200)
+++ b/trunk/reviewboard/htdocs/media/rb/js/ui.autocomplete.js (working copy)
@@ -424,7 +424,7 @@
multiple: false,
multipleSeparator: ", ",
highlight: function(value, term) {
- return value.replace(new RegExp("(?![^&;]+;)(?!<[^<>]*)(" +
term.replace(/([\^\$\(\)\[\]\{\}\*\.\+\?\|\\])/gi, "\\$1")
+ ")(?![^<>]*>)(?![^&;]+;)", "gi"), "<strong>$1</strong>");
+ return $('<div>').text(value).html().replace(new
RegExp("(?![^&;]+;)(?!<[^<>]*)(" +
$('div').text(term).html().replace(/([\^\$\(\)\[\]\{\}\*\.\+\?\|
\\])/gi, "\\$1") + ")(?![^<>]*>)(?![^&;]+;)", "gi"), "<strong>$1</strong>");
},
scroll: true,
scrollHeight: 180
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
You received this message because you are subscribed to the Google Groups
"reviewboard-issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/reviewboard-issues.
For more options, visit https://groups.google.com/groups/opt_out.
