Task List: Javascript in task comments security issue

XMLWordPrintable

      Scripts in task comments

      <script>window.alert("sometext");</script>

      will actually execute when viewed in history.

      Recreate (in task list):
      1. Use 'Create task' to create and assign task to mary
      2. As mary, use 'Add Comment', type in script text

      and so mary can execute scripts for demo by

      3. Reassign to demo
      4. As demo, view in history

        1. alert.png
          120 kB
          Thomas Skjolberg

            Assignee:
            Michael Schoettes
            Reporter:
            Thomas Skjolberg
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: