Bug 151180

Summary: Missing HTML escaping/XSS: <script>alert('hello world')</script>
Product: [Community] Bugzilla Reporter: Ville Skyttä <scop>
Component: Bugzilla GeneralAssignee: David Lawrence <dkl>
Status: CLOSED CURRENTRELEASE QA Contact: David Lawrence <dkl>
Severity: high Docs Contact:
Priority: medium    
Version: 2.18   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-03-15 19:12:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ville Skyttä 2005-03-15 19:00:23 UTC 
There seems to be a missing HTML escaping / possible cross site scripting
problem with the beta Bugzilla summaries, as probably reproduced by the summary
of this bug.  After modifying a bug, the <h1> in the "Bug XXX processed: ..."
response page contains the summary passed through as-is.
Comment 1 Ville Skyttä 2005-03-15 19:02:26 UTC 
Yep, it is reproduced by the summary in this bug.  Testing non-beta
Bugzilla with this comment...
Comment 2 Ville Skyttä 2005-03-15 19:03:15 UTC 
Nope, only the beta is affected.
Comment 3 David Lawrence 2005-03-15 19:11:47 UTC 
thanks for the head's up. testing change to see if this is fixed with this comment.
Comment 4 David Lawrence 2005-03-15 19:12:14 UTC 
Seems to be fixed now.