| | Due to the html parser, javascript literals with closing script tags (for
|
| | instance, 'var foo = "</script>";') cause javascript blocks to be prematurely
|
| | terminated. For more information see...
|
| | http://www.wwco.com/~wls/blog/2007/04/25/using-script-in-a-javascript-literal/ |
| |
|
| | This is a XSS vector, easily reproduced by making a comment of
|
| | "</script><script>alert(document);</script>" (quotes are escaped so examples
|
| | like 'alert("hello world");' won't work). Demo...
|
| | http://demo.reviewboard.org/r/6347/diff/ |
| |
|
| | This is an issue with multiple comment types... |
| |
|
| | |
| | |
| | -
Attachment Comments
Iirc I accidently stumbled across this for 1.6 though I might be remembering
wrong. This patch doesn't include a fix for attachment comments, but it should
be a similar change around the 'file_attachment_comments' function in...
reviewboard/reviews/templatetags/reviewtags.py
reviewboard/templates/reviews/review_request_box.html
|
| + |
|
| + | Change can be fetched from...
|
| + | https://github.com/atagar/ReviewBoard/commit/7539dc1f42155fc499430633e462059412eb1b59 |