See the URL field for an example. This script currently doesn't sanitize quotes or HTML, allowing an attacker to display their own content in the search results.
Nelson, can you take a look at this?
Assignee: nobody → nelson
Priority: -- → P1
Target Milestone: --- → 0.2
Fixed in support-stage, will be included in the next sync.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Turns out this was fixed on support.mozilla.com already.
Status: RESOLVED → VERIFIED
Group: webtools-security → websites-security
These bugs are all resolved, so I'm removing the security flag from them.
You need to log in before you can comment on or make changes to this bug.