[
https://issues.jenkins-ci.org/browse/JENKINS-1663?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kohsuke Kawaguchi resolved JENKINS-1663.
----------------------------------------
Assignee: Kohsuke Kawaguchi
Resolution: Fixed
> Javascript injection
> --------------------
>
> Key: JENKINS-1663
> URL: https://issues.jenkins-ci.org/browse/JENKINS-1663
> Project: Jenkins
> Issue Type: Improvement
> Components: security
> Affects Versions: current
> Environment: Platform: All, OS: All
> Reporter: kha
> Assignee: Kohsuke Kawaguchi
>
> It is possible to inject javascript / use yahoo utils to do ajax requests and
> also launch some builds from the user profiles.
> In Peaople section > edit a profile
> Put as exemple:
> <p>Javascript injection</p>
> <a href="javascript:alert(document.cookie);">Show Cookies</a>
> <p>Some buttons</p>
> Buils WTT - CI <a href="/hudson/job/web-test-tools - ci/build?delay=0sec"><img
> border="0" title="Schedule a build"
> src="/hudson/static/7ef5ac6b/images/16x16/clock.gif"/></a>
> <p/>
> <img src="http://www.schwimmerlegal.com/smiley.jpg";></img>
> - You could also do a simple loop that will launch builds
> - send ajax requests to a third party website
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
![http://www.schwimmerlegal.com/smiley.jpg"](http://www.schwimmerlegal.com/smiley.jpg"){kind=link}