| Summary: | XSS issues with user's firstname and lastname | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Portal Platform 5 | Reporter: | Michal Vanco <mvanco> |
| Component: | unspecified | Assignee: | hfnukal <hfnukal> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 5.1.1.DEV01 | CC: | epp-bugs, mvecera |
| Target Milestone: | --- | ||
| Target Release: | 5.1.1.DEV02 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | http://jira.jboss.org/jira/browse/JBEPP-914 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: |
EPP5.1.1 DEV01
|
|
| Last Closed: | 2011-05-09 13:32:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Link: Added: This issue is related to JBQA-4617 Link: Added: This issue is related to JBEPP-598 Release Notes Docs Status: Added: Not Required Security: Removed: RHT+eXo Added: Public |
project_key: JBEPP JBEPP-598 is already fixed. But when the firstname or lastname contains script, it's executed on 2 more places: - dashboard (logo portlet contains user's fullname) - organization portlet - when the user is added at group using search dialog Steps to reproduce: - register new user with <script>alert('test')</script> at firstname or lastname 1) sign in as new user, click Dashboard - script is executed at logo portlet 2) sign in as root, go to Users management, Group man., select some group, click "Select User" Search icon - script is executed at Select User dialog