---
** [tickets:#7931] Tool install dialog needs to escape html/js**
**Status:** open
**Milestone:** unreleased
**Created:** Wed Jul 15, 2015 03:13 PM UTC by Dave Brondsema
**Last Updated:** Wed Jul 15, 2015 03:13 PM UTC
**Owner:** nobody
If you go to install a tool and enter `"/><img src=x
onerror=prompt(/XSS-test/)>` as the "Url Path" it will execute that JS when
previewing the URL. We should escape this. Not a security risk since it only
executes local to the current user (not a way to make a "victim" run this JS)
---
Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed
to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at
https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is
a mailing list, you can unsubscribe from the mailing list.
