Fix a self-XSS hole in Diffusion
ac029d0a50e7
Actions

Authored by epriestley <git@epriestley.com> on Mar 20 2015, 22:54.

Description

Fix a self-XSS hole in Diffusion

Summary:
Via HackerOne. We aren't correctly escaping the date, so a user can XSS themselves by setting their date format creatively.

This construction is very unusual and I don't think we do anything similar elsewhere, so I can't come up with a systematic change which would prevent this in the general case.

Test Plan: Set date format to tag junk, got self-XSS before patch and proper escaping after the patch.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D12117

Details

Committed

epriestley <git@epriestley.com>

Mar 20 2015, 22:54

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPH80b8dc521d14: Fix Mercurial command injection vulnerability

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHac029d0a50e7: Fix a self-XSS hole in Diffusion (authored by epriestley <git@epriestley.com>).Mar 20 2015, 22:54

Changes (1)

				Path
	M			src/applications/diffusion/controller/DiffusionLastModifiedController.php

rPHac029d0a50e7

View Options

src/applications/diffusion/controller/DiffusionLastModifiedController.php