Almost XSS in tag_link

RESOLVED FIXED in 5.12.6

Status

addons.mozilla.org Graveyard
Public Pages
RESOLVED FIXED
8 years ago
2 years ago

People

(Reporter: jbalogh, Assigned: Andy McKay)

Tracking

({wsec-xss})

5.12.6
wsec-xss

Details

(Reporter)

Description

8 years ago
If we didn't hit the NoReverseMatch in bug 619580 the tag text would get into the page unescaped.  Bug 619580 is making text safer, but we shouldn't be passing these unescaped anyways.

1. tag_text should be escaped
2. tag_link should return Markup
3. tag_link callers should not append |safe
4. there should be interpolation tests
(Assignee)

Updated

8 years ago
Assignee: nobody → amckay
(Assignee)

Comment 1

8 years ago
Ready for r?, but makes sense to do 619580 first and slugify.
(Assignee)

Comment 2

8 years ago
https://github.com/jbalogh/zamboni/commit/529f90e224fbe26e8e739b90863234fd0af1e8d8
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.