Fix a self-XSS hole in Diffusion
ClosedPublic
Actions

Authored by epriestley on Mar 20 2015, 9:43 PM.

Details

Reviewers

btrahan
chad

Commits

Restricted Diffusion Commit
rPac029d0a50e7: Fix a self-XSS hole in Diffusion

Summary

Via HackerOne. We aren't correctly escaping the date, so a user can XSS themselves by setting their date format creatively.

This construction is very unusual and I don't think we do anything similar elsewhere, so I can't come up with a systematic change which would prevent this in the general case.

Test Plan

Set date format to tag junk, got self-XSS before patch and proper escaping after the patch.

Diff Detail

Repository

rP Phabricator

Branch

xss1

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 4930
Build 4948: [Placeholder Plan] Wait for 30 Seconds

Event Timeline

epriestley updated this revision to Diff 29140.Mar 20 2015, 9:43 PM

epriestley retitled this revision from to Fix a self-XSS hole in Diffusion.

epriestley updated this object.

epriestley edited the test plan for this revision. (Show Details)

epriestley added reviewers: chad, btrahan.

Herald added a subscriber: epriestley. · View Herald TranscriptMar 20 2015, 9:43 PM

chad accepted this revision.Mar 20 2015, 9:49 PM

chad edited edge metadata.

This revision is now accepted and ready to land.Mar 20 2015, 9:49 PM

Closed by commit rPac029d0a50e7: Fix a self-XSS hole in Diffusion (authored by epriestley, committed by epriestley). · Explain WhyMar 20 2015, 9:54 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

src/

applications/

diffusion/

controller/

DiffusionLastModifiedController.php

6 lines

Diff 29140

View Options

src/applications/diffusion/controller/DiffusionLastModifiedController.php

Fix a self-XSS hole in DiffusionClosedPublicActions