Skip to:

Opened 12 years ago

Closed 12 years ago

#1114 closed defect (bug) (fixed)

able to embed javascript into the Status field

Reported by: DJPaul Owned by:
Milestone: 1.1 Priority: critical
Severity: Version:
Component: Keywords: javascript security


You're able to put html in the status field on your profile. I'm not sure if that's good decision or not - but that's another matter.

If you put this string into your profile, you can trigger javascript commands on your profile page (it doesn't work when clicking your status in the Site Wide Activity).

p.s. Trac may screw up this so i'll repost if needed.

<a href="" onclick="javascript:alert('bubble')">testing 3</a>

Change History (1)

#1 @apeatling
12 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [1986]) Fixes #1114

Note: See TracTickets for help on using tickets.