-
Bug
-
Resolution: Fixed
-
Critical
-
None
-
Platform: All, OS: All
Hudson 1.295 allows user to type cross-site scriptings(xss) on search-box.
Example:
http://hudson-host/search/?
q=<script>alert('script');</script>&json={"q":+"<script>alert('oops');</script>"
}
Code changed in hudson
User: : kohsuke
Path:
trunk/hudson/main/core/src/main/resources/hudson/search/Search/search-failed.jelly
trunk/hudson/main/test/src/main/java/org/jvnet/hudson/test/HudsonTestCase.java
trunk/hudson/main/test/src/test/java/hudson/search/SearchTest.java
trunk/www/changelog.html
http://fisheye4.cenqua.com/changelog/hudson/?cs=16855
Log:
[FIXED JENKINS-3415] XSS vulnerability in the search box. Fixed in 1.297.