Uploaded image for project: 'AeroGear'
  1. AeroGear
  2. AEROGEAR-768

JS: possible script injection on the todo app

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Major Major
    • 1.0.0.M8
    • 1.0.0.M6, 1.0.0.M7
    • examples, javascript
    • None

      going to the "todo-aerogear.rhcloud.com" app, I noticed the "tasks" are broken.

      That's because there is one task in, that has the following title value:

      <script>window.status='Hello World';\"></sccript>
      

      See: https://todo-aerogear.rhcloud.com/todo-server/tasks/32

      After that task, NO other tasks are being displayed Also, it looks that I can NOT add a new one, but I can... it's just not being displayed

      PS: the same is true on the todoauth app (I tried it there....)

            boliveir_managed_kafka_security (inactive user) Bruno Oliveira Silva (Inactive)
            mwessend@redhat.com Matthias Wessendorf
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: