Rating comments can be arbitrary code #318

kcrisman · 2014-12-19T04:38:21Z

E.g., try putting <script>alert('hi there')</script> in the comment box while rating a public worksheet. 'Nuff said. This was reported at http://trac.sagemath.org/ticket/8839.

The text was updated successfully, but these errors were encountered:

kcrisman · 2014-12-19T04:39:00Z

Presumably there is some standard way to sanitize this, even perhaps used elsewhere in the notebook.

kcrisman · 2014-12-21T03:50:24Z

Solved by #323.

Improved solution to #318

kcrisman added the Critical label Dec 19, 2014

migeruhito mentioned this issue Dec 20, 2014

Provisional workaround to sanitize rating comments #323

Merged

kcrisman closed this as completed Dec 21, 2014

migeruhito mentioned this issue Jan 29, 2015

Improved solution to #318 #324

Merged

kcrisman added a commit that referenced this issue Dec 2, 2015

Merge pull request #324 from migeruhito/autoescape

73ab85c

Improved solution to #318

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Rating comments can be arbitrary code #318

Rating comments can be arbitrary code #318

kcrisman commented Dec 19, 2014

kcrisman commented Dec 19, 2014

kcrisman commented Dec 21, 2014

Rating comments can be arbitrary code #318

Rating comments can be arbitrary code #318

Comments

kcrisman commented Dec 19, 2014

kcrisman commented Dec 19, 2014

kcrisman commented Dec 21, 2014