On Mon, 06 Jan 2014 14:14:25 +0900, "Stephen J. Turnbull" <turnb...@sk.tsukuba.ac.jp> wrote: > Benjamin Peterson writes: > > > Not sure if this is interesting. > > > 2. As soon as we submit the crafted URL, we get an alert box saying XSS. > > URL: > > > > > http://bugs.python.org/issue?%40columns=status&message_count="><script>alert("XSS")<%2Fscript>&%40action=search > > Sure, this is interesting (it works as advertised for me on Mac OS X > with Firefox 26.0, and could be used for phishing at least). > > I don't know what, if anything, we can do about it, but if we can > prevent it without unreasonable effort, we should.
It's "just" a matter of making sure roundup html-escapes values that it substitutes into error messages. IOW this is a roundup bug. But Ezio is a Roundup dev, so getting a fix pushed upstream once we have one shouldn't be a problem. Of course, someone needs to find time to do it... --David _______________________________________________ Tracker-discuss mailing list Tracker-discuss@python.org https://mail.python.org/mailman/listinfo/tracker-discuss