You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What steps will reproduce the problem?
1. Open a change that contains HTML in the commit summary
2. See the commit summary not escaping and rather rendering its HTML
What is the expected output? What do you see instead?
HTML output (at the very least < and >) should be replaced with their HTML entities.
If you don't trust everyone who writes code in your system, this is a potential XSS
vector.
What version of the product are you using? On what operating system?
1.2.1-GO on Ubuntu 12.04, behind Apache reverse proxy
Please provide any additional information below.
Compare the following two URLs:
https://git.wikimedia.org/commit/mediawiki%2Fextensions%2FParsoid.git/8994ef5c79e5c385c1f7bd593d991f15263ebf95
and https://gerrit.wikimedia.org/r/#/c/63444/
Reported by chorohoe@wikimedia.org on 2013-05-15 16:50:33
The text was updated successfully, but these errors were encountered:
Originally reported on Google Code with ID 242
Reported by
chorohoe@wikimedia.org
on 2013-05-15 16:50:33The text was updated successfully, but these errors were encountered: