Opened 6 years ago
Closed 6 years ago
#2943 closed defect (fixed)
Cross-site Scripting in /json
Reported by: | wms | Owned by: | Mikhail Sobolev <mss@…> |
---|---|---|---|
Priority: | major | Milestone: | undecided |
Version: | 0.8.9 | Keywords: | |
Cc: |
Description
The error reporting in the /json module displays user input, including HTML characters. If as_text is specified, the content type is set to plain text which, combined with some browsers' content sniffing, results in the HTML being parsed as HTML. This affects IE6 and IE8 at least.
I suggest keeping the mime type as json and setting X-Content-Type-Options to "nosniff".
Change History (2)
comment:1 Changed 6 years ago by wms
comment:2 Changed 6 years ago by Mikhail Sobolev <mss@…>
- Owner set to Mikhail Sobolev <mss@…>
- Resolution set to fixed
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
Proposed patch: https://github.com/buildbot/buildbot/pull/1258