Closed
Bug 619609
Opened 14 years ago
Closed 14 years ago
Almost XSS in tag_link
Categories
(addons.mozilla.org Graveyard :: Public Pages, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
5.12.6
People
(Reporter: jbalogh, Assigned: andy+bugzilla)
Details
(Keywords: wsec-xss)
If we didn't hit the NoReverseMatch in bug 619580 the tag text would get into the page unescaped. Bug 619580 is making text safer, but we shouldn't be passing these unescaped anyways. 1. tag_text should be escaped 2. tag_link should return Markup 3. tag_link callers should not append |safe 4. there should be interpolation tests
Assignee | ||
Updated•14 years ago
|
Assignee: nobody → amckay
Assignee | ||
Comment 1•14 years ago
|
||
Ready for r?, but makes sense to do 619580 first and slugify.
Assignee | ||
Comment 2•14 years ago
|
||
https://github.com/jbalogh/zamboni/commit/529f90e224fbe26e8e739b90863234fd0af1e8d8
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment 3•11 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•