persistent xss on code.launchpad.net
Bug #911632 reported by
David
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Critical
|
Richard Harding |
Bug Description
A user's full name is shown un-escaped on their code.launchpad.net profile page thus providing a persistent xss vector.
For example, the user I just created with the username "ohnoes" and full name "/><script>
https:/
Related branches
lp:~rharding/launchpad/xss_911632
- Aaron Bentley (community): Approve
-
Diff: 21 lines (+2/-2)1 file modifiedlib/lp/code/browser/branchlisting.py (+2/-2)
Changed in launchpad: | |
importance: | Undecided → Critical |
status: | New → Triaged |
Changed in launchpad: | |
assignee: | nobody → Richard Harding (rharding) |
status: | Triaged → In Progress |
tags: |
added: qa-ok removed: qa-needstesting |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
visibility: | private → public |
To post a comment you must log in.
Fixed in stable r14633 <http:// bazaar. launchpad. net/~launchpad- pqm/launchpad/ stable/ revision/ 14633>.