Closed Bug 826912 Opened 11 years ago Closed 11 years ago

Code example "file-click-demo" vulnerable to XSS with certain file names

Tracking

(Not tracked)

Status:

RESOLVED DUPLICATE of bug 827398

People

(Reporter: openjck, Unassigned)

Details

(Whiteboard: [site:developer.mozilla.org])

John Karahalis [:openjck]

Reporter

Description

•

11 years ago

This supersedes bug 769757.

Steps to repeat:

1. On a Linux machine, open a terminal and run `touch "<img src=X onerror=alert(1)>.png"`
2. Visit https://developer.mozilla.org/samples/domref/file-click-demo.html
3. Upload the file that was created in step 1.

Actual result:

Alert appears, indicating vulnerability to XSS.

Expected result:

Alert does not appear.

John Karahalis [:openjck]

Reporter

Updated

•

11 years ago

Summary: MDN code example vulnerable to XSS with certain file names → Code example "file-click-demo" vulnerable to XSS with certain file names

Luke Crouch [:groovecoder]

Updated

•

11 years ago

Status: NEW → RESOLVED

Closed: 11 years ago

Resolution: --- → DUPLICATE

Stefan Arentz | :st3fan | ⏰ EST | he/him

Updated

•

11 years ago

Whiteboard: [site:developer.mozilla.org]

Will Kahn-Greene [:willkg] ET needinfo? me

Comment 2

•

8 years ago

For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.

Group: websites-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Code example "file-click-demo" vulnerable to XSS with certain file names

Categories

(developer.mozilla.org :: Security, defect)

Tracking

(Not tracked)

People

(Reporter: openjck, Unassigned)

References

Details

(Whiteboard: [site:developer.mozilla.org])

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Updated

Comment 2