Opened 4 years ago
Closed 4 years ago
#12254 closed bug (fixed)
Reflected XSS
| Reported by: | cloudsrise | Owned by: | cloudsrise |
|---|---|---|---|
| Priority: | low | Milestone: | 1.9 |
| Component: | build | Version: | git |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
Line 59 of polluted.php sends unvalidated data to a web browser, which can result in the browser executing malicious code.
Change History (11)
comment:1 Changed 4 years ago by rwaldron
- Resolution set to invalid
- Status changed from new to closed
comment:2 Changed 4 years ago by anonymous
While I would love to agree with you, user behavior dictates otherwise. It isn't clear to me they are knowingly putting themselves at risk with regards to XSS and this public exploit. http://www.google.com/search?q=inurl:polluted.php should give you a few examples where we see unexpected test suite deployment behavior.
comment:3 Changed 4 years ago by dmethvin
- Resolution invalid deleted
- Status changed from closed to reopened
comment:4 Changed 4 years ago by dmethvin
- Owner set to cloudsrise
- Status changed from reopened to pending
Okay, do you have a proposed fix?
comment:5 follow-up: ↓ 6 Changed 4 years ago by anonymous
Validate and sanitize the input / output.
comment:6 in reply to: ↑ 5 Changed 4 years ago by dmethvin
- Status changed from pending to open
I was kind of hoping for a pull request... :)
comment:7 Changed 4 years ago by dmethvin
- Component changed from unfiled to core
- Priority changed from undecided to low
comment:8 Changed 4 years ago by dmethvin
- Component changed from core to build
comment:9 Changed 4 years ago by dmethvin
Honestly, cloudsrise, we could use a pull request here if you're interested.
comment:10 Changed 4 years ago by Markus.Staab
comment:11 Changed 4 years ago by mikesherov
- Milestone changed from None to 1.9
- Resolution set to fixed
- Status changed from open to closed
This was fixed in https://github.com/jquery/jquery/commit/b62e5522910766a8fb9f1cf29e069360ae75a902 which incorrectly references #12554
polluted.php exists solely to be used by the test suite.