[
https://jira.duraspace.org/browse/DS-1603?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tim Donohue updated DS-1603:
----------------------------
Documentation Status: (was: In Description)
> HTML not stripped in user profile data information in JSPUI
> ------------------------------------------------------------
>
> Key: DS-1603
> URL: https://jira.duraspace.org/browse/DS-1603
> Project: DSpace
> Issue Type: Bug
> Components: JSPUI
> Affects Versions: 1.5.0, 1.6.0, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.8.1, 1.8.2,
> 3.0, 3.1
> Reporter: Tim Donohue
> Assignee: Hardy Pottinger
> Priority: Major
> Fix For: 3.2, 1.7.3, 1.8.3
>
>
> In the JSPUI, it is possible to set your name to be (e.g.) <h1>Jane Doe</h1>.
> This data is displayed as-is rather than being stripped out, meaning your
> name appears in bold. This could be used as the basis for an XSS attack.
> However, there are no known security breaches involving this bug.
> The XMLUI treats this OK and does strip out the tags and displays them as
> their entities.
> (This ticket has been copied from its original location in the now closed
> DSpace SourceForge Bug Tracker: https://sourceforge.net/p/dspace/bugs/524/
> It was also more recently reported by Shane Williams at the University of
> Texas)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel
