Side navigation
#12254 closed bug (fixed)
Opened August 10, 2012 08:09PM UTC
Closed October 26, 2012 01:12PM UTC
Reflected XSS
| Reported by: | cloudsrise | Owned by: | cloudsrise |
|---|---|---|---|
| Priority: | low | Milestone: | 1.9 |
| Component: | build | Version: | git |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
Line 59 of polluted.php sends unvalidated data to a web browser, which can result in the browser executing malicious code.
Attachments (0)
Change History (11)
Changed August 10, 2012 08:24PM UTC by comment:1
| resolution: | → invalid |
|---|---|
| status: | new → closed |
Changed August 22, 2012 06:16AM UTC by comment:2
While I would love to agree with you, user behavior dictates otherwise. It isn't clear to me they are knowingly putting themselves at risk with regards to XSS and this public exploit. http://www.google.com/search?q=inurl:polluted.php should give you a few examples where we see unexpected test suite deployment behavior.
Changed August 22, 2012 12:39PM UTC by comment:3
| resolution: | invalid |
|---|---|
| status: | closed → reopened |
Changed August 22, 2012 12:40PM UTC by comment:4
| owner: | → cloudsrise |
|---|---|
| status: | reopened → pending |
Okay, do you have a proposed fix?
Changed August 23, 2012 12:01AM UTC by comment:5
Validate and sanitize the input / output.
Changed August 23, 2012 12:02AM UTC by comment:6
| status: | pending → open |
|---|
I was kind of hoping for a pull request... :)
Changed August 23, 2012 12:03AM UTC by comment:7
| component: | unfiled → core |
|---|---|
| priority: | undecided → low |
Changed August 23, 2012 12:04AM UTC by comment:8
| component: | core → build |
|---|
Changed August 24, 2012 01:53AM UTC by comment:9
Honestly, cloudsrise, we could use a pull request here if you're interested.
Changed August 24, 2012 07:41AM UTC by comment:10
Changed October 26, 2012 01:12PM UTC by comment:11
| milestone: | None → 1.9 |
|---|---|
| resolution: | → fixed |
| status: | open → closed |
This was fixed in https://github.com/jquery/jquery/commit/b62e5522910766a8fb9f1cf29e069360ae75a902 which incorrectly references #12554
polluted.php exists solely to be used by the test suite.