RESOLVED WORKSFORME 39478
XSS on bugs.webkit.org PrettyDiff view 
https://bugs.webkit.org/show_bug.cgi?id=39478
Summary XSS on bugs.webkit.org PrettyDiff view
Kent Tamura
Reported 2010-05-21 02:40:47 PDT
This is a bug of bugs.webkit.org, not a bug of WebKit. We can make arbitrary script work on bugs.webkit.org, but it's not vulnerable because there are no way to make script run for other users. 1. Open https://bugs.webkit.org/attachment.cgi?id=53926&action=review 2. Click somewhere in the PrettyDiff frame. A <textarea> for line-by-line comment appears. 3. Input "<script>alert('Foo')</script>" to the <textarea> 4. Press "Add" button Result: JavaScript alert with "Foo" opens. PrettyPatch.rb: // Insert a non-editable form of our comment. comment.insert("<pre>" + commentText + "</pre>"); comment.setAttribute("class", "comment submitted"); We need to escape commentText.
Attachments
Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2010-05-21 13:21:22 PDT
:)
Adam Roben (:aroben)
Comment 2 2010-05-21 15:16:21 PDT
> PrettyPatch.rb: > // Insert a non-editable form of our comment. > comment.insert("<pre>" + commentText + "</pre>"); > comment.setAttribute("class", "comment submitted"); > > We need to escape commentText. Or use innerText or textContent or createTextNode.
wanghao
Comment 3 2012-08-17 01:29:45 PDT
<script>alert('Foo')</script>
Martin Robinson
Comment 4 2012-12-13 09:23:26 PST
I tested this and it doesn't seem to be an issue any longer. Perhaps we can close the bug?
Kent Tamura
Comment 5 2012-12-13 17:57:16 PST
Yeah, it seems this was fixed.
Note You need to log in before you can comment on or make changes to this bug.