Closed
Bug 780866
Opened 13 years ago
Closed 13 years ago
Stored XSS in Page WYSIWYG Editor
Categories
(developer.mozilla.org Graveyard :: Editing, defect)
developer.mozilla.org Graveyard
Editing
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 779597
People
(Reporter: shai, Unassigned)
Details
Attachments
(1 file)
|
173.07 KB,
image/jpeg
|
Details |
Stored XSS
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.60 Safari/537.1
Steps to reproduce:
1. Visit: https://developer.mozilla.org/en-US/docs/
2. Create a New Page
3. Insert title
4. Click the "Source" button in the WYSIWYG editor
5. Insert in body: "><img src='1.jpg'onerror=javascript:alert("XSS")>
6. Save Changes
7. Click the Edit Button
Note:
The page will be listed in "Pages for review" (https://developer.mozilla.org/en-US/docs/needs-review) users who will access the page and click the edit button will trigger the XSS.
Actual results:
XSS Will be triggered
|
||
Updated•13 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
|
Assignee | |
Updated•13 years ago
|
Version: Kuma → unspecified
|
|
Assignee | |
Updated•13 years ago
|
Component: Docs Platform → Editing
|
||
Comment 3•9 years ago
|
||
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
|
||
Updated•5 years ago
|
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•