[ROL-1196] Safe comments: strip HTML from comment name, URL and email addresses - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.3
Fix Version/s: 2.3.1
Component/s: Comments
Labels:
None

Level of effort:
Less than 1 hour plus release overhead

Description

See title.

We allow users to use HTML in comment body, but we strip all but a "safe subset" of HTML when we display the coment. However, we don't do any HTML stripping safe-subsetting on the comment name, HTML or url. That leaves Roller open to XSS attacks by commenters.

Attachments

Activity

People

Assignee:: David Johnson

Reporter:: David Johnson

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 24/Jul/06 14:26

Updated:: 05/Jan/13 20:48

Resolved:: 24/Jul/06 14:28