Escaping review and image comments
Review Request #2708 — Created Nov. 14, 2011 and submitted — Latest diff uploaded
Due to the html parser, javascript literals with closing script tags (for instance, 'var foo = "</script>";') cause javascript blocks to be prematurely terminated. For more information see... http://www.wwco.com/~wls/blog/2007/04/25/using-script-in-a-javascript-literal/ This is a XSS vector, easily reproduced by making a comment of "</script><script>alert(document);</script>" (quotes are escaped so examples like 'alert("hello world");' won't work). Demo... http://demo.reviewboard.org/r/6347/diff/ This is an issue with multiple comment types... - Diff Comments This reproduces in ReviewBoard 1.5 and 1.6. - Screenshot Comments Reproduced and fixed this in 1.5. Screenshot comments seem to have changed quite a bit since then so I'm not sure if it's still an issue, but might as well be safe. - Attachment Comments Iirc I accidently stumbled across this for 1.6 though I might be remembering wrong. This patch doesn't include a fix for attachment comments, but it should be a similar change around the 'file_attachment_comments' function in... reviewboard/reviews/templatetags/reviewtags.py reviewboard/templates/reviews/review_request_box.html Change can be fetched from... https://github.com/atagar/ReviewBoard/commit/7539dc1f42155fc499430633e462059412eb1b59
I made and tested this fix in RB 1.5 and 1.6, but I don't have a 1.6.2 instance around so it would be a good idea to give this a sanity test before merging.