Opened 9 years ago

Closed 9 years ago

#2892 closed defect (fixed)

should user language settings be sanitized?

Reported by: amm Owned by: Tom Hughes
Priority: minor Milestone:
Component: website Version:
Keywords: Cc:

Description

As a followup on #2891, it is possible to inject javascript into the site, by adding the javascript to your languange settings and calling the search function on the mainsite. The error message there will contain the language settings verbatim and thus execute the script.

I don't think it is a security problem, as you can only shoot your self in the foot with it rather than harm others, but it might never the less be nice to prevent this. Altogether warning the user if they entered a broken string in the language setting might be a good thing.

Change History (1)

comment:1 Changed 9 years ago by tomhughes

Resolution: fixed
Status: newclosed

(In [20920]) Escape geocoder errors. Closes #2892.

Note: See TracTickets for help on using tickets.