BugNET

Open source issue tracking & project management
  search

Forums

HomeHomeGeneralGeneralGeneral Discuss...General Discuss...Issues with XSSIssues with XSS
Previous
 
Next
New Post
7/15/2010 6:22 AM
 
User is offline Andy
No Ranking

Joined: 3/19/2010
Posts: 10
Hi there.

I'm having some issues with XSS.  In our existing bug system (which I'm migrating from) there are a number of records that detail XSS issues.  During migration I HtmlEncode these so as to avoid any issues when the bugs are in place in BugNet.  However, for some reason the XSS lines are executing when they're part of an issue comment.  This doesn't seem to be a problem for data in the BugNet_Issues.IssueDescription, just BugNet_IssueComments.Comment.

E.g.

Looking at the database I can see that the BugNet_IssueComments.Comment field is properly HTML encoded



However when the issue is viewed the javascript executes and the pages source shows that it's been rendered as




Any ideas?
 
New Post
7/15/2010 11:53 AM
 
User is offline Davin Dubeau
1st Level Poster


Davin Dubeau's Avatar

bugnetproject.com
Joined: 3/2/2006
Posts: 1425
_Andy wrote:
Hi there.

I'm having some issues with XSS.  In our existing bug system (which I'm migrating from) there are a number of records that detail XSS issues.  During migration I HtmlEncode these so as to avoid any issues when the bugs are in place in BugNet.  However, for some reason the XSS lines are executing when they're part of an issue comment.  This doesn't seem to be a problem for data in the BugNet_Issues.IssueDescription, just BugNet_IssueComments.Comment.

E.g.

Looking at the database I can see that the BugNet_IssueComments.Comment field is properly HTML encoded



However when the issue is viewed the javascript executes and the pages source shows that it's been rendered as




Any ideas?


This is a bug, I have confirmed that comments are vulnerable to xss right now.
Davin Dubeau

follow us on twitter facebook users group google plus
 
New Post
7/19/2010 1:07 AM
 
User is offline Andy
No Ranking

Joined: 3/19/2010
Posts: 10
Ah ok great, I can stop pulling my hair out over it then. :D

Thanks for letting me know.
 
 Page 1 of 1
Previous
 
Next
HomeHomeGeneralGeneralGeneral Discuss...General Discuss...Issues with XSSIssues with XSS


Forum Policy

These Discussion Forums are dedicated to the discussion of the BugNET issue tracker.

For the benefit of the community and to protect the integrity of the project, please observe the following posting guidelines:
1. No Advertising.
2. No Flaming or Trolling.
3. No Profanity, Racism, or Prejudice.
4. Site Moderators have the final word on approving/removing a thread or post or comment.
5. English language posting only, please.
Copyright © 2011 BugNET   Terms Of Use  Privacy Statement  Page generated in 0.0468009 seconds.