[Webkit-unassigned] [Bug 39478] New: XSS on bugs.webkit.org PrettyDiff view

Fri May 21 02:40:49 PDT 2010

https://bugs.webkit.org/show_bug.cgi?id=39478

           Summary: XSS on bugs.webkit.org PrettyDiff view
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: WebKit Website
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: tkent at chromium.org
                CC: darin at apple.com, abarth at webkit.org

This is a bug of bugs.webkit.org, not a bug of WebKit.
We can make arbitrary script work on bugs.webkit.org, but it's not vulnerable because there are no way to make script run for other users.

1. Open https://bugs.webkit.org/attachment.cgi?id=53926&action=review
2. Click somewhere in the PrettyDiff frame.  A <textarea> for line-by-line comment appears.
3. Input "<script>alert('Foo')</script>" to the <textarea>
4. Press "Add" button

Result:
  JavaScript alert with "Foo" opens.

PrettyPatch.rb:
   // Insert a non-editable form of our comment.
   comment.insert("<pre>" + commentText + "</pre>");
   comment.setAttribute("class", "comment submitted");

We need to escape commentText.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.