html not sanitized in issue titles, allowing XSS

24 Apr, 2009 06:17 AM

Here's an example:

https://github.com/jed/langwidget.com/issues/#issue/10

The title is <script>alert('html needs to be sanitized')</script>, which is actually executed.

1 Posted by Kyle Neath (Git... on 24 Apr, 2009 05:14 PM

Hey Jed,

I think you might have support systems mixed up. This is Tender, the software that powers Github's support site. Try submitting your issue at http://support.github.com

Thanks!
- Edit
Kyle Neath (GitHub Staff) closed this discussion on 24 Apr, 2009 05:14 PM.
Jed Schmidt re-opened this discussion on 24 Apr, 2009 05:18 PM
2 Posted by Jed Schmidt on 24 Apr, 2009 05:18 PM

Oops, my bad. Sorry for the distraction!
- Edit

Discussions are closed to public comments.
If you need help with Tender please start a new discussion.

New Issue
Conversation Started
The discussion is closed

No more actions from Tender or the discussion starter are required.
Re-open the discussion Re-open the discussion

This discussion is private. Only you and Tender support staff can see and reply to it.

This discussion is public. Everyone can see and reply to it.

Keyboard shortcuts

?	Show this help
ESC	Blurs the current field

r	Focus the comment reply box
^ + ↩	Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

	08 Apr, 2025 09:44 AM	Unlock Your Creativity with the EspressoCoder Tool
	16 Oct, 2024 11:30 AM	Knowledge base feedback
	05 Jun, 2024 11:15 AM	What is the cost of IVF Treatment in Kenya 2024?
	24 May, 2024 12:47 PM	Setting up my email
	02 May, 2024 12:35 AM	Introduction to Mary Flavors

	How do I cancel my account?
	Using queues to organize your support
	Cancel my dating profile
	Changing Account Owner
	How do I upgrade/downgrade my account?