Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Fix view_question.jsp and view_question_results.jspf to prevent XSS in Polls Portlet

Description

Step to reproduce:

1st scenario:

  • Go to Contol Panel/Polls

  • Add a new Question and paste this "><script>alert(document.cookie);</script>" (with the quotes!) into the DESCRIPTION field

  • Save

  • Click on the Question to open >>> An alert will pop-up

*2nd scenario: *

  • Go to Contol Panel/Polls

  • Add a new Question and paste this "><script>alert(document.cookie);</script>" (with the quotes!) into one of the CHOICE field

  • Save

  • Click on the Question to open and vote

  • Open the Question to see the results >>> An alert will pop-up

Activity

Show:

Mark JinJuly 5, 2012 at 6:54 PM
Edited

PASSED Manual Testing following the steps in the description.

Reproduced on:
Tomcat 7.0 + MySQL 5. Portal 6.1.10 EE GA1.

Able to see the pop-up.

Fixed on:
Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 83d7c84294cbaff265e62eb33e04cabaf8ad1294.
Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: 702c4ffa129d6be718ef8c319949ef47125aa272.

Unable to see the pop-up.

Lawrence LeeJuly 5, 2012 at 4:39 PM

Committed on:
Portal 6.1.x EE GIT ID: d5ac1a166d4c8d7679b8fdba3f3e11b3fbd7cdbe.
Portal 6.2.x GIT ID: f2c57c9a46ce182d444d24b12a5964718a682091.

Tibor LipuszJune 26, 2012 at 2:33 AM

Please, review my modifications based on our discussion.
Check my last comment for the LPS.

Thanks,
Tibor

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Labels

Branch Version/s

6.1.x

Backported to Branch

Committed

Fix Priority

4

Git Pull Request

Components

Fix versions

Affects versions

Priority

Zendesk Support

Created June 25, 2012 at 4:11 AM
Updated June 24, 2023 at 4:00 PM
Resolved August 6, 2012 at 11:39 PM

Flag notifications