Achievo/ATK - Bug 369 – possible javascript insertion problem

Bug 369 - possible javascript insertion problem

Summary:

possible javascript insertion problem

Status:	RESOLVED FIXED

Product:	Achievo
Component:	Userinterface
Version:	1.1.RC2
Platform:	All All

Importance:	P2 critical
Assigned To:	Sandy Pleyte

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2004-10-18 13:46 by Ivo Jansch
Modified:	2004-10-18 21:13 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Ivo Jansch 2004-10-18 13:46:31

In the searchbox in the upper right of Achievo, users can enter arbitrary
javascript code, like this:

<script>alert(document.cookie)</script>

When no searchresults are found, this is executed 'as is', and a popup
displaying the cookie appears. 

While the potential risk of this is low, it is still something that should be fixed.

------- Comment #1 From Sandy Pleyte 2004-10-18 21:13:39 -------

Added a strip_tags so no html tags are allowed anymore.