- **private**: Yes --> No
--- ** [tickets:#6889] XSS on /p/add_project/** **Status:** closed **Labels:** support p1 security **Created:** Sat Nov 16, 2013 02:34 AM UTC by Chris Tsai **Last Updated:** Mon Nov 18, 2013 04:23 PM UTC **Owner:** Dave Brondsema [forge:site-support:#5930] >If yuo copy and past this payload: `"><img src=x onerror=prompt(1);>` at the >page of soruceforge/p/add_Project in the two forms, you got a XSS Not sure how exploitable that actually is, but following his instructions anyway I was able to reproduce that. --- Sent from sourceforge.net because allura-dev@incubator.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
