Opened 6 years ago

Closed 6 years ago

#2943 closed defect (fixed)

Cross-site Scripting in /json

Reported by: wms Owned by: Mikhail Sobolev <mss@…>
Priority: major Milestone: undecided
Version: 0.8.9 Keywords:


The error reporting in the /json module displays user input, including HTML characters. If as_text is specified, the content type is set to plain text which, combined with some browsers' content sniffing, results in the HTML being parsed as HTML. This affects IE6 and IE8 at least.

I suggest keeping the mime type as json and setting X-Content-Type-Options to "nosniff".

Change History (2)

comment:2 Changed 6 years ago by Mikhail Sobolev <mss@…>

  • Owner set to Mikhail Sobolev <mss@…>
  • Resolution set to fixed
  • Status changed from new to closed

In 48edbaaf154f3a567a283a5276be614ca65f3d9e:

Merge pull request #1258 from wmswms/eight

Bugfix 2943: Fix cross-site scripting in status_json by specifying nosniff and app/js...

Fixes ticket:2943

Note: See TracTickets for help on using tickets.