[Tracker-discuss] [issue296] XSS vulnerability in ok_message
R David Murray
metatracker at psf.upfronthosting.co.za
Mon Jan 25 15:10:28 CET 2010
R David Murray <rdmurray at bitdance.com> added the comment:
My guess would be that the programmer put them in the URL in order to avoid the problem of someone pressing 'refesh' on the error page generating a re-submission of the form. Doing this via a redirect to a URL avoids the resubmission problem without needing to get involved in session management (ie: staying RESTful). However, whatever is passed in the URL should be sanitized before being displayed. I haven't looked at the source either, so I don't know how complicated it would be to fix this, but if what is normally passed is only text, just escaping it before displaying it should be an almost trivial change.
And yeah, it would be nice to fix 'clear this message' to completely clear the URL, too.
PSF Meta Tracker <metatracker at psf.upfronthosting.co.za>
More information about the Tracker-discuss