Tim Donohue created DS-1603:
-------------------------------
Summary: HTML not stripped in user profile data information in
JSPUI
Key: DS-1603
URL: https://jira.duraspace.org/browse/DS-1603
Project: DSpace
Issue Type: Bug
Components: JSPUI
Affects Versions: 3.1, 3.0, 1.8.2, 1.8.1, 1.8.0, 1.7.2, 1.7.1, 1.7.0,
1.6.0, 1.5.0
Reporter: Tim Donohue
Assignee: Hardy Pottinger
Priority: Major
Fix For: 3.2, 1.7.3, 1.8.3
In the JSPUI, it is possible to set your name to be (e.g.) <h1>Jane Doe</h1>.
This data is displayed as-is rather than being stripped out, meaning your name
appears in bold. This could be used as the basis for an XSS attack. However,
there are no known security breaches involving this bug.
The XMLUI treats this OK and does strip out the tags and displays them as their
entities.
(This ticket has been copied from its original location in the now closed
DSpace SourceForge Bug Tracker: https://sourceforge.net/p/dspace/bugs/524/ It
was also more recently reported by Shane Williams at the University of Texas)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel
