#1782 XSS on the "research assistant" page

closed-fixed
John Finlay
None
5
2008-02-15
2007-11-05
Nick Jenkins
No

There is an XSS on the "research assistant" page (URL: "/module.php?mod=research_assistant") . In the "Who do you want to learn more about?" box type (note: need to include the starting quote) :
"<Script>alert(1);</script>
... then click "view", and should get an XSS JavaScript popup dialog box that says "1".

Discussion

  • KosherJava
    KosherJava
    2007-11-05

    • assigned_to: nobody --> yalnifj
     
  • KosherJava
    KosherJava
    2007-11-05

    • milestone: 213376 -->
     
  • John Finlay
    John Finlay
    2007-11-06

    • status: open --> pending-fixed
     
  • John Finlay
    John Finlay
    2007-11-06

    Logged In: YES
    user_id=300048
    Originator: NO

    I have fixed this in svn 2148.

    --John

     
    • status: pending-fixed --> closed-fixed
     
  • Logged In: YES
    user_id=1312539
    Originator: NO

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 100 days (the time period specified by
    the administrator of this Tracker).