Closed
Bug 771640
Opened 12 years ago
Closed 12 years ago
XSS vuln on new article in Kuma editor
Categories
(developer.mozilla.org Graveyard :: Wiki pages, defect, P1)
developer.mozilla.org Graveyard
Wiki pages
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: stephend, Unassigned)
References
()
Details
(Keywords: wsec-xss, Whiteboard: [infrasec-qa:xss] s=2012-07-25)
Attachments
(3 files)
Problematic markup
STR: 1. Load https://developer-new.mozilla.org/en-US/docs/new?slug=jkls 2. In the Title field, enter "</script><script>alert("Hi!");</script>" without the quotes 3. Do the same for the Slug and Tags fields 4. Click Preview Changes Actual Results: I get an alert() that says "Hi!", indicating the JS was executed Expected Results: No XSS :-(
|
Reporter | |
Comment 1•12 years ago
|
||
|
||
Comment 2•12 years ago
|
||
Does this resolve bug 665735? To think some believe users need jsFiddle to experiment with JavaScript...
|
||
Comment 3•12 years ago
|
||
(In reply to John Karahalis [:openjck] from comment #2) > Does this resolve bug 665735? To think some believe users need jsFiddle to > experiment with JavaScript... I don't think this has anything to do with bug 665735
|
|
||
Comment 4•12 years ago
|
||
(In reply to Les Orchard [:lorchard] from comment #3) > (In reply to John Karahalis [:openjck] from comment #2) > > Does this resolve bug 665735? To think some believe users need jsFiddle to > > experiment with JavaScript... > > I don't think this has anything to do with bug 665735 Just a joke. :-)
|
|
||
Updated•12 years ago
|
Whiteboard: [infrasec-qa:xss] → [infrasec-qa:xss] s=2012-07-17
|
||
Comment 6•12 years ago
|
||
https://developer-new.mozilla.org/en-US/docs/new
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 8•12 years ago
|
||
|
|
||
Updated•12 years ago
|
Whiteboard: [infrasec-qa:xss] s=2012-07-17 → [infrasec-qa:xss] s=2012-07-25
|
Assignee | |
Updated•12 years ago
|
Version: Kuma → unspecified
|
|
Assignee | |
Updated•12 years ago
|
Component: Website → Landing pages
|
||
Comment 9•11 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
|
||
Comment 10•8 years ago
|
||
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
|
||
Updated•4 years ago
|
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•