Conducting a training and just had a user pop some javascript into the
org unit name which when the user revealed it in the org unit hierarchy
it would fire off the javascript. I tested this in firefox, the attached
file was the result.
** Affects: dhis2
Importance: Undecided
Status: New
Bug description:
Conducting a training and just had a user pop some javascript into the
org unit name which when the user revealed it in the org unit
hierarchy it would fire off the javascript. I tested this in firefox,
the attached file was the result.
On Wed, Feb 24, 2016 at 5:52 PM, Timothy Harding <tharding@baosystems.com> wrote:
Public bug reported:
Conducting a training and just had a user pop some javascript into the
org unit name which when the user revealed it in the org unit hierarchy
it would fire off the javascript. I tested this in firefox, the attached
file was the result.
** Affects: dhis2
Importance: Undecided
Status: New
** Attachment added: "Screen Shot 2016-02-24 at 11.38.36 AM.png"
Bug description:
Conducting a training and just had a user pop some javascript into the
org unit name which when the user revealed it in the org unit
hierarchy it would fire off the javascript. I tested this in firefox,
the attached file was the result.
Bug description:
Conducting a training and just had a user pop some javascript into the
org unit name which when the user revealed it in the org unit
hierarchy it would fire off the javascript. I tested this in firefox,
the attached file was the result.
Yes firing off arbitrary javascript is not a good thing.
It should probably be filtered on input and escaped on output though
opinions vary a bit on approaches. I think these sorts of issues were
being targeted in the new metadata maintenance app.
···
On 25 February 2016 at 08:51, Knut Staring <knutst@gmail.com> wrote:
Is this a security risk?
On Wed, Feb 24, 2016 at 5:52 PM, Timothy Harding <tharding@baosystems.com> > wrote:
Public bug reported:
Conducting a training and just had a user pop some javascript into the
org unit name which when the user revealed it in the org unit hierarchy
it would fire off the javascript. I tested this in firefox, the attached
file was the result.
** Affects: dhis2
Importance: Undecided
Status: New
** Attachment added: "Screen Shot 2016-02-24 at 11.38.36 AM.png"
Bug description:
Conducting a training and just had a user pop some javascript into the
org unit name which when the user revealed it in the org unit
hierarchy it would fire off the javascript. I tested this in firefox,
the attached file was the result.
Bug description:
Conducting a training and just had a user pop some javascript into the
org unit name which when the user revealed it in the org unit
hierarchy it would fire off the javascript. I tested this in firefox,
the attached file was the result.
Bug description:
Conducting a training and just had a user pop some javascript into the
org unit name which when the user revealed it in the org unit
hierarchy it would fire off the javascript. I tested this in firefox,
the attached file was the result.
*Timothy Harding*
Sr. Systems Analyst, BAO Systems
+1 202-536-1541 | tharding@baosystems.com | http://www.baosystems.com | Skype:
hardingt@gmail.com | 2900 K Street, Suite 404, Washington D.C. 20007
···
On Tue, Mar 1, 2016 at 5:49 AM, Morten Olav Hansen < 1549378@bugs.launchpad.net> wrote:
Bug description:
Conducting a training and just had a user pop some javascript into the
org unit name which when the user revealed it in the org unit
hierarchy it would fire off the javascript. I tested this in firefox,
the attached file was the result.
Bug description:
Conducting a training and just had a user pop some javascript into the
org unit name which when the user revealed it in the org unit
hierarchy it would fire off the javascript. I tested this in firefox,
the attached file was the result.
