xss in autocomplete

Review Request #5570 — Created March 2, 2014 and discarded

Information

Review Board

Reviewers

It will fix xss vulnerabilities.
https://code.google.com/p/reviewboard/issues/detail?id=3274

If input script in First name or Last name, It is executed when you use autocomplete in search box.


 
Description From Last Updated

Hey!

UC uchida_t
chipx86
  1. Thanks for the report and the patch!

    Looking into this, this isn't actually the right place to do this, since it's valid for HTML to appear in highlight() (we use it for <span> tags to properly format the full name), but I've made a change in the correct place to do the escaping (formatItem in js/common.js).

  2. 
      
UC
Review request changed
Status:
Discarded
UC
  1. 
      
  2. Show all issues

    Hey!

  3.