potential XSS on front page of www.mozilla.org on 3.jan browsed www.mozilla.org and visually noticed anomaly very close to XSS caused by bugzilla bug - in community ticker was injected |<h2>| present in the subject of the linked bug. attached is screenshot with js disabled - see |typeface| in middle right. wrote about this on irc #js, about 5 minutes later the anomaly disappeared.
as of know your front page has file upload control due to timeless's bug
dveditz: does this act of humane american patriotism deserve a bounty?
Created attachment 419879 [details] [diff] [review] patch - v1 The title attribute was being HTML decoded by cleanHtml() for some unknown reason. I removed that code and replaced the existing truncate() function with one I found in CakePHP's code that parses HTML entities correctly.
r58866 Thanks, georgi, for noticing this.
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.