[Buildbot] #2943: Cross-site Scripting in /json
Buildbot trac
trac at buildbot.net
Mon Oct 13 17:19:31 UTC 2014
#2943: Cross-site Scripting in /json
-------------------+-----------------------
Reporter: wms | Owner:
Type: defect | Status: new
Priority: major | Milestone: undecided
Version: 0.8.9 | Keywords:
-------------------+-----------------------
The error reporting in the /json module displays user input, including
HTML characters. If as_text is specified, the content type is set to plain
text which, combined with some browsers' content sniffing, results in the
HTML being parsed as HTML. This affects IE6 and IE8 at least.
I suggest keeping the mime type as json and setting X-Content-Type-Options
to "nosniff".
--
Ticket URL: <http://trac.buildbot.net/ticket/2943>
Buildbot <http://buildbot.net/>
Buildbot: build/test automation
More information about the bugs
mailing list