Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-20046

XSS in "Recently viewed" list

          Details

          • Type: Bug
          • Status: Done/Fixed
          • Priority: Trivial
          • Resolution: Fixed/Completed
          • Affects Version/s: 4.7.16, 4.6.28
          • Fix Version/s: 4.6.29, 4.7.21
          • Component/s: None
          • Security Level: Security - Published
          • Labels:
            None
          • Versioning Impact:
            Patch (backwards-compatible bug fixes)
          • Documentation Required?:
            None
          • Funding Source:
            Needs Funding
          • Verified?:
            No

            Description

            While trying to reproduce CRM-20040, I noticed XSS elsewhere.

            An organisation named " onclick="alert('xss');" x=" will lead to XSS in the sidebar "recently viewed" block.

            We should really look at that escape-on-output pattern eh.

              Attachments

                Activity

                  People

                  • Assignee:
                    seanmadsen Sean Madsen
                    Reporter:
                    xurizaemon Chris Burgess
                    Authorized Participants:
                    Sean Madsen
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    4 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: