POSTing the string: foobar" onclick="alert(123); in the username field results in the following HTML in the response: <input name="name" id="nameid" tabindex="2" value="foobar" onclick="alert(123);" type="text"> Recommend using htmlentities to encode quotes, brackets, etc. in the output.
On the registration page: http://devmo.dekiwiki.mozilla.org/index.php?title=Special:Userlogin®ister=true the email parameter is also vulnerable. Sample attack string: firstname.lastname@example.org" onclick="alert(123);
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Component: Deki Infrastructure → Other
Product: Mozilla Developer Network → Mozilla Developer Network
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
You need to log in before you can comment on or make changes to this bug.