[Webkit-unassigned] [Bug 39478] New: XSS on bugs.webkit.org PrettyDiff view
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri May 21 02:40:49 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=39478
Summary: XSS on bugs.webkit.org PrettyDiff view
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P1
Component: WebKit Website
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: tkent at chromium.org
CC: darin at apple.com, abarth at webkit.org
This is a bug of bugs.webkit.org, not a bug of WebKit.
We can make arbitrary script work on bugs.webkit.org, but it's not vulnerable because there are no way to make script run for other users.
1. Open https://bugs.webkit.org/attachment.cgi?id=53926&action=review
2. Click somewhere in the PrettyDiff frame. A <textarea> for line-by-line comment appears.
3. Input "<script>alert('Foo')</script>" to the <textarea>
4. Press "Add" button
Result:
JavaScript alert with "Foo" opens.
PrettyPatch.rb:
// Insert a non-editable form of our comment.
comment.insert("<pre>" + commentText + "</pre>");
comment.setAttribute("class", "comment submitted");
We need to escape commentText.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list