Status: New
Owner: ----
Labels: Type-Defect Priority-Medium

New issue 1054 by darkness: reviewboard doesn't escape html
http://code.google.com/p/reviewboard/issues/detail?id=1054

*NOTE: Do not post confidential information in this bug report.*

What steps will reproduce the problem?
1. edit a review and add some javascript code:

<script>alert(document.cookie)</script>

2. publish the review
3. the script is executed and there's no way to remove it from the page.

What is the expected output? What do you see instead?

all html should be escaped from user input to prevent css attacks.

What operating system are you using? What browser?

ff3, osx




--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"reviewboard-issues" group.
To post to this group, send email to reviewboard-issues@googlegroups.com
To unsubscribe from this group, send email to 
reviewboard-issues+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard-issues?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to