#31 Javascript Injection in Content - Concerto

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

#31 ✓resolved

Javascript Injection in Content

Reported by Michael DiTore | September 3rd, 2009 @ 09:58 PM | in Concerto 1.9.1

Content should be scrubbed to prevent injection of javascript of any kind through ticker or dynamic content, XSS or otherwise.

Any scrubbing should be applied before going into the database, so that all output (screen, moderation/browse pages, and API) is clean.

This is a security hole that needs to be patched quickly.

Comments and changes to this ticket

Michael DiTore September 7th, 2009 @ 11:07 PM
- State changed from “new” to “resolved”
(from [661]) Prevent injection of HTML tags by encoding htmlspecialchars in ticker text and in content names (before writing to database). [#31 state:resolved]
Brian Michalski February 3rd, 2012 @ 10:34 PM
- Milestone order changed from “0” to “0”
(from [f8cc7d57664fbaaa8e03aa84689a45d5ed78da25]) Hide parent feed selector when there are no feeds. Closes #31. https://github.com/concerto/concerto/commit/f8cc7d57664fbaaa8e03aa8...

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Concerto is an open source digital signage system that makes it easy to engage a large community of people with graphical and text-based announcements, bulletins, and other messages... but enough about us, you came here to get involved.
 
If you think you've found a bug in Concerto, please click 'Create new ticket' and let us know about it.
 
Looking to peek at our source code? Head to <a href="https://github.com/concerto/concerto_v1">https://github.com/concerto/concerto_v1</a> (Concerto version 1) or <a href="https://github.com/concerto/concerto">https://github.com/concerto/concerto</a> (Concerto version 2).
 
Our getting started guide is available here: <a href="https://github.com/concerto/concerto/wiki/Getting-Involved">https://github.com/concerto/concerto/wiki/Getting-Involved</a>.

Shared Ticket Bins (Sort)

People watching this ticket

Michael DiTore

Referenced by

31 Javascript Injection in Content (from [661]) Prevent injection of HTML tags by encoding h...

Webtech Concerto → Concerto 1.9.1

New Billing System

Javascript Injection in Content

Comments and changes to this ticket

Michael DiTore September 7th, 2009 @ 11:07 PM

Brian Michalski February 3rd, 2012 @ 10:34 PM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Tags

Referenced by

Pages

Webtech Concerto → Concerto 1.9.1

New Billing System

Keyword searching

Javascript Injection in Content

Comments and changes to this ticket

Michael DiTore September 7th, 2009 @ 11:07 PM

Brian Michalski February 3rd, 2012 @ 10:34 PM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Tags

Referenced by

Pages