Opened 15 years ago
Closed 15 years ago
#1114 closed defect (bug) (fixed)
able to embed javascript into the Status field
Reported by: | DJPaul | Owned by: | |
---|---|---|---|
Milestone: | 1.1 | Priority: | critical |
Severity: | Version: | ||
Component: | Keywords: | javascript security | |
Cc: |
Description
Hi
You're able to put html in the status field on your profile. I'm not sure if that's good decision or not - but that's another matter.
If you put this string into your profile, you can trigger javascript commands on your profile page (it doesn't work when clicking your status in the Site Wide Activity).
p.s. Trac may screw up this so i'll repost if needed.
<a href="bt.com" onclick="javascript:alert('bubble')">testing 3</a>
Note: See
TracTickets for help on using
tickets.
(In [1986]) Fixes #1114