Ticket 1054: reviewboard doesn't escape html

1054: reviewboard doesn't escape html

Reported by:	dark**@gmai*** (Google Code) (Is this you? Claim this profile.) 16 years
Unassigned
Closed:	April 16, 2009
Duplicate of:	~~894~~

What steps will reproduce the problem?
1. edit a review and add some javascript code:

<script>alert(document.cookie)</script>

2. publish the review
3. the script is executed and there's no way to remove it from the page.

What is the expected output? What do you see instead?

all html should be escaped from user input to prevent css attacks.

What operating system are you using? What browser?

ff3, osx

#1 dark****@gmai***** (Google Code) (Is this you? Claim this profile.)

also, any js added seems to break the functionality of the page. i now can't
autocomplete any names on the review i added js to (for vmw folks see review 12439 on
reviewboard-qa).

#2 dark****@gmai***** (Google Code) (Is this you? Claim this profile.)

scratch commment #1, the ac problem has nothing to do with this (my group doesn't
exist on the new reviewboard server).

#3 chipx86

This has been fixed for a while in SVN, and will be made available on the next server
upgrade.

Status:
+ Duplicate
Duplicate of:
+ ~~894 - HTML/angle brackets in description are treated as HTML~~

Welcome to the Splat alpha!

1054: reviewboard doesn't escape html