6.0.0-beta1
1/8/26

[#8552] It's possible to inject javascript on Kronolith
Summary It's possible to inject javascript on Kronolith
Queue Kronolith
Queue Version Git master
Type Bug
State Resolved
Priority 1. Low
Owners jan (at) horde (dot) org
Requester goncalo.queiros (at) portugalmail (dot) net
Created 09/04/2009 (5970 days ago)
Due
Updated 01/13/2010 (5839 days ago)
Assigned
Resolved 09/04/2009 (5970 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch No

History
01/13/2010 12:11:03 AM CVS Commit Comment #2 Reply to this comment
Changes have been made in Git for this ticket:

Element.update() and Element.insert() don't escape content and eval 
scripts automatically. Escape any plain text being inserted (Bug #8552).

http://git.horde.org/diff.php/kronolith/js/kronolith.js?rt=horde-git&r1=fabc16d8ac224bbcf5fbe2f5ff4ac26af563d69c&r2=62b96aed490816b1f2a5c7334ab21bb324455df9
09/04/2009 05:33:03 PM Jan Schneider Assigned to Jan Schneider
State ⇒ Resolved
 
09/04/2009 04:44:46 PM goncalo (dot) queiros (at) portugalmail (dot) net Comment #1
Priority ⇒ 1. Low
Patch ⇒ No
Milestone ⇒
Queue ⇒ Kronolith
Summary ⇒ It's possible to inject javascript on Kronolith
Type ⇒ Bug
State ⇒ Unconfirmed		 Reply to this comment
When a new event is created, it's possible to inject javascript (at 
least in the Title field)
New Ticket
My Tickets
Search
Query Builder
Reports

Saved Queries

Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers