Closed Bug 41906 Opened 25 years ago Closed 24 years ago

Don't allow HTML in quips

Categories

(Bugzilla :: Bugzilla-General, defect, P3)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Bugzilla 2.12

People

(Reporter: BenB, Assigned: Chris.Yeh)

References

Details

(Whiteboard: 2.12) 

The bug list shows you a short text which can be entered at <http:
//bugzilla.mozilla.org/newquip.html> by anybody. (Is there any option to turn it
off?) It allows HTML, which is sent directly to the bugzilla user.

That's a perfect way to exploit Mozilla security holes.
bug 13075 is now about this, but nobody updated the summary of that bug.
This should be marked a duplicate of bug 13075 IMHO.
Blocks: 38852
(13075 is fixed, but this bug is still there, I think.)

This bug is sitting around much too long. raising severity to critical, because
security relevant. the mozilla.org domain is a testbed for Mozillas (as least, I
use it as such) and *has* to be secure.
Severity: normal → critical
is there some perl code that does this already?
Assignee: tara → cyeh
Whiteboard: 2.12
I have no idea. But you could just escape "<>&" (">" -> &gt; "<" -> "&lt;", "&"
-> "&amp;"), and the HTML code would appear in the page as cleartext, without
being evaluated by the browser.
This is a dupe and it's been fixed anyway.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
cool, tnx! verifying.
Status: RESOLVED → VERIFIED
I can still enter &'s...
In search of accurate queries....  (sorry for the spam)
Target Milestone: --- → Bugzilla 2.12
Moving closed bugs to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.