Closed Bug 619609 Opened 14 years ago Closed 14 years ago

Almost XSS in tag_link

Tracking

(Not tracked)

Status:

RESOLVED FIXED

Milestone:

5.12.6

People

(Reporter: jbalogh, Assigned: andy+bugzilla)

Details

(Keywords: wsec-xss)

Jeff Balogh (:jbalogh)

Reporter

Description

•

14 years ago

If we didn't hit the NoReverseMatch in bug 619580 the tag text would get into the page unescaped.  Bug 619580 is making text safer, but we shouldn't be passing these unescaped anyways.

1. tag_text should be escaped
2. tag_link should return Markup
3. tag_link callers should not append |safe
4. there should be interpolation tests

Andy McKay

Assignee

Updated

•

14 years ago

Assignee: nobody → amckay

Andy McKay

Assignee

Comment 1

•

14 years ago

Ready for r?, but makes sense to do 619580 first and slugify.

Andy McKay

Assignee

Comment 2

•

14 years ago

https://github.com/jbalogh/zamboni/commit/529f90e224fbe26e8e739b90863234fd0af1e8d8

Status: NEW → RESOLVED

Closed: 14 years ago

Resolution: --- → FIXED

Yvan Boily [:ygjb][:yvan]

Comment 3

•

11 years ago

Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.

Keywords: wsec-xss

Nobody; OK to take it and work on it

Updated

•

8 years ago

Product: addons.mozilla.org → addons.mozilla.org Graveyard

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Almost XSS in tag_link

Categories

(addons.mozilla.org Graveyard :: Public Pages, defect)

Tracking

(Not tracked)

People

(Reporter: jbalogh, Assigned: andy+bugzilla)

References

Details

(Keywords: wsec-xss)

Crash Data

Security

(public)

User Story

Description

Updated

Comment 1

Comment 2

Comment 3

Updated