CVE-2017-1002152: JavaScript injection via Bugzilla ticket subjects #1740
Labels
bugzilla
Issues related to Bodhi's integration with Bugzilla
EasyFix
These are good issues to get started with if you are new to the project
High priority
These issues are higher priority than normal
WebUI
Issues pertaining to Bodhi's web interface
Marcel reported that it is possible to inject JavaScript into Bodhi's web interface through Bugzilla ticket subjects. The reporter cited an update that did not properly escape tags from the bug it was associated with.
We should run the bugzilla text through bleach, similar to what we do for comments from our users.
The text was updated successfully, but these errors were encountered: