Opened 10 years ago
Closed 10 years ago
#12254 closed bug (fixed)
Reflected XSS
| Reported by: | cloudsrise | Owned by: | cloudsrise |
|---|---|---|---|
| Priority: | low | Milestone: | 1.9 |
| Component: | build | Version: | git |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
Line 59 of polluted.php sends unvalidated data to a web browser, which can result in the browser executing malicious code.
Change History (11)
comment:1 Changed 10 years ago by
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 Changed 10 years ago by
While I would love to agree with you, user behavior dictates otherwise. It isn't clear to me they are knowingly putting themselves at risk with regards to XSS and this public exploit. http://www.google.com/search?q=inurl:polluted.php should give you a few examples where we see unexpected test suite deployment behavior.
comment:3 Changed 10 years ago by
| Resolution: | invalid |
|---|---|
| Status: | closed → reopened |
comment:4 Changed 10 years ago by
| Owner: | set to cloudsrise |
|---|---|
| Status: | reopened → pending |
Okay, do you have a proposed fix?
comment:6 Changed 10 years ago by
| Status: | pending → open |
|---|
I was kind of hoping for a pull request... :)
comment:7 Changed 10 years ago by
| Component: | unfiled → core |
|---|---|
| Priority: | undecided → low |
comment:8 Changed 10 years ago by
| Component: | core → build |
|---|
comment:9 Changed 10 years ago by
Honestly, cloudsrise, we could use a pull request here if you're interested.
comment:11 Changed 10 years ago by
| Milestone: | None → 1.9 |
|---|---|
| Resolution: | → fixed |
| Status: | open → closed |
This was fixed in https://github.com/jquery/jquery/commit/b62e5522910766a8fb9f1cf29e069360ae75a902 which incorrectly references #12554
polluted.php exists solely to be used by the test suite.