- **status**: open --> closed - **Comment**: Fixed as part of [#7919]
--- ** [tickets:#7931] Tool install dialog needs to escape html/js** **Status:** closed **Milestone:** unreleased **Created:** Wed Jul 15, 2015 03:13 PM UTC by Dave Brondsema **Last Updated:** Wed Jul 15, 2015 03:13 PM UTC **Owner:** nobody If you go to install a tool and enter `"/><img src=x onerror=prompt(/XSS-test/)>` as the "Url Path" it will execute that JS when previewing the URL. We should escape this. Not a security risk since it only executes local to the current user (not a way to make a "victim" run this JS) --- Sent from forge-allura.apache.org because [email protected] is subscribed to https://forge-allura.apache.org/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
