html not sanitized in issue titles, allowing XSS

Jed Schmidt's Avatar

Jed Schmidt

24 Apr, 2009 06:17 AM

Here's an example:

https://github.com/jed/langwidget.com/issues/#issue/10

The title is <script>alert('html needs to be sanitized')</script>, which is actually executed.

  1. 1 Posted by Kyle Neath (Git... on 24 Apr, 2009 05:14 PM

    Kyle Neath (GitHub Staff) 's Avatar

    Hey Jed,

    I think you might have support systems mixed up. This is Tender, the software that powers Github's support site. Try submitting your issue at http://support.github.com

    Thanks!

  2. Kyle Neath (GitHub Staff) closed this discussion on 24 Apr, 2009 05:14 PM.

  3. Jed Schmidt re-opened this discussion on 24 Apr, 2009 05:18 PM

  4. 2 Posted by Jed Schmidt on 24 Apr, 2009 05:18 PM

    Jed Schmidt's Avatar

    Oops, my bad. Sorry for the distraction!

Discussions are closed to public comments.
If you need help with Tender please start a new discussion.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

Recent Discussions

14 Oct, 2019 04:05 AM
14 Oct, 2019 12:43 AM
21 Sep, 2019 02:33 PM
27 Aug, 2019 05:35 PM
15 Aug, 2019 01:56 AM