- edited description
SECURITY: XSS on 'View conditions for transition' page
Issue #333
resolved
There is an XSS on 'View conditions for transition' page: failure message inputed by user is returned without escaping.
TC:
- Add 'Boolean validator with math, date-time or text-string terms'
- Fill 'Message to show when validation fails' field with '<script>alert(2)</script>' value
- Save condition. (This brings you back to conditions table)
- You've been XSS'ed
This can not be fixed by Atlassian because we want to give vendor ability to have formatted description.
Comments (5)
-
Account Deactivated reporter -
Account Deactivated reporter - edited description
-
repo owner Thank you Ilya, the problem will be fixed in version 2.2.12.
-
repo owner - changed status to resolved
Fixed in just released version 2.2.12.
-
Account Deactivated reporter Great! Thank you!
- Log in to comment