6.0.0-git
2019-04-24

[#8552] It's possible to inject javascript on Kronolith
Summary It's possible to inject javascript on Kronolith
Queue Kronolith
Queue Version Git master
Type Bug
State Resolved
Priority 1. Low
Owners jan (at) horde (dot) org
Requester goncalo.queiros (at) portugalmail (dot) net
Created 2009-09-04 (3519 days ago)
Due
Updated 2010-01-13 (3388 days ago)
Assigned
Resolved 2009-09-04 (3519 days ago)
Milestone
Patch No

History
2010-01-13 00:11:03 CVS Commit Comment #2 Reply to this comment
Changes have been made in Git for this ticket:

Element.update() and Element.insert() don't escape content and eval 
scripts automatically. Escape any plain text being inserted (Bug #8552).

http://git.horde.org/diff.php/kronolith/js/kronolith.js?rt=horde-git&r1=fabc16d8ac224bbcf5fbe2f5ff4ac26af563d69c&r2=62b96aed490816b1f2a5c7334ab21bb324455df9
2009-09-04 17:33:03 Jan Schneider Assigned to Jan Schneider
State ⇒ Resolved
 
2009-09-04 16:44:46 goncalo (dot) queiros (at) portugalmail (dot) net Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 1. Low
Summary ⇒ It's possible to inject javascript on Kronolith
Queue ⇒ Kronolith
Milestone ⇒
Patch ⇒ No
Reply to this comment
When a new event is created, it's possible to inject javascript (at 
least in the Title field)

Saved Queries