Fix a self-XSS hole in Diffusion
ClosedPublic
Actions

Authored by epriestley on Mar 20 2015, 9:43 PM.

Details

Reviewers

btrahan
chad

Commits

Restricted Diffusion Commit
rPac029d0a50e7: Fix a self-XSS hole in Diffusion

Summary

Via HackerOne. We aren't correctly escaping the date, so a user can XSS themselves by setting their date format creatively.

This construction is very unusual and I don't think we do anything similar elsewhere, so I can't come up with a systematic change which would prevent this in the general case.

Test Plan

Set date format to tag junk, got self-XSS before patch and proper escaping after the patch.

Diff Detail

Repository

rP Phabricator

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

epriestley updated this revision to Diff 29140.Mar 20 2015, 9:43 PM

epriestley retitled this revision from to Fix a self-XSS hole in Diffusion.

epriestley updated this object.

epriestley edited the test plan for this revision. (Show Details)

epriestley added reviewers: chad, btrahan.

Herald added a subscriber: epriestley. · View Herald TranscriptMar 20 2015, 9:43 PM

chad accepted this revision.Mar 20 2015, 9:49 PM

chad edited edge metadata.

This revision is now accepted and ready to land.Mar 20 2015, 9:49 PM

Closed by commit rPac029d0a50e7: Fix a self-XSS hole in Diffusion (authored by epriestley, committed by epriestley). · Explain WhyMar 20 2015, 9:54 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

src/

applications/

diffusion/

controller/

DiffusionLastModifiedController.php

6 lines

Diff 29143

View Options

src/applications/diffusion/controller/DiffusionLastModifiedController.php

Fix a self-XSS hole in DiffusionClosedPublicActions