Pull request XSS scripting

Issue #16773 new
Mark Cerezo staff created an issue

Summary

When creating or editing a pull request, users are allowed to enter "javascript:alert(123)" string and able to run a pop-up or script. This might cause a possible XSS scripting.

Steps to reproduce:

  1. Create a new Pull request in your repo
  2. Type "javascript:alert(123)" in the description box
  3. Highlight the "javascript:alert(123)" string > click "Add link" (Under menu bar)
  4. Click the string "javascript:alert(123)" > paste the string "javascript:alert(123)".
  5. Click the string "javascript:alert(123)" > Click "Open Link"

Expected results

Should not be able to run/execute any JS scripting

Actual results

Able to alert pop-up

Workaround

None at the moment

Comments (0)

  1. Log in to comment