Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix an XSS vulnerability in the reviews dropdown.
The reviews dropdown had a bad vulnerability where it would assume the
user's full name is valid HTML. This allowed the user to craft a script
tag that would be executed every time the name appeared in the dropdown.

This vulnerability exists in 1.6.x, 1.7.x, and the in-development 1.8.
There are no known attacks in the wild.

This was reported by Craig Young at Tripwire.
  • Loading branch information
chipx86 committed Jun 22, 2013
1 parent efeb640 commit 4aaacbb
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions reviewboard/htdocs/media/rb/js/reviews.js
Expand Up @@ -352,10 +352,12 @@ $.fn.reviewsAutoComplete = function(options) {
$(this)
.autocomplete({
formatItem: function(data) {
var s = data[options.nameKey];
var s = data[options.nameKey],
desc;

if (options.descKey) {
s += " <span>(" + data[options.descKey] + ")</span>";
desc = $('<div/>').text(data[options.descKey]).html();
s += " <span>(" + desc + ")</span>";
}

return s;
Expand Down

0 comments on commit 4aaacbb

Please sign in to comment.