• Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • other
    • None
    • Platform: All, OS: All

      Hudson 1.295 allows user to type cross-site scriptings(xss) on search-box.
      Example:
      http://hudson-host/search/?
      q=<script>alert('script');</script>&json={"q":+"<script>alert('oops');</script>"
      }

          [JENKINS-3415] Cross-site scripting in search box

          Code changed in hudson
          User: : kohsuke
          Path:
          trunk/hudson/main/core/src/main/resources/hudson/search/Search/search-failed.jelly
          trunk/hudson/main/test/src/main/java/org/jvnet/hudson/test/HudsonTestCase.java
          trunk/hudson/main/test/src/test/java/hudson/search/SearchTest.java
          trunk/www/changelog.html
          http://fisheye4.cenqua.com/changelog/hudson/?cs=16855
          Log:
          [FIXED JENKINS-3415] XSS vulnerability in the search box. Fixed in 1.297.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/core/src/main/resources/hudson/search/Search/search-failed.jelly trunk/hudson/main/test/src/main/java/org/jvnet/hudson/test/HudsonTestCase.java trunk/hudson/main/test/src/test/java/hudson/search/SearchTest.java trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=16855 Log: [FIXED JENKINS-3415] XSS vulnerability in the search box. Fixed in 1.297.

            kohsuke Kohsuke Kawaguchi
            danielvs danielvs
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: