[Buildbot] #2943: Cross-site Scripting in /json

Buildbot trac trac at buildbot.net
Mon Oct 13 17:19:31 UTC 2014


#2943: Cross-site Scripting in /json
-------------------+-----------------------
Reporter:  wms     |      Owner:
    Type:  defect  |     Status:  new
Priority:  major   |  Milestone:  undecided
 Version:  0.8.9   |   Keywords:
-------------------+-----------------------
 The error reporting in the /json module displays user input, including
 HTML characters. If as_text is specified, the content type is set to plain
 text which, combined with some browsers' content sniffing, results in the
 HTML being parsed as HTML. This affects IE6 and IE8 at least.

 I suggest keeping the mime type as json and setting X-Content-Type-Options
 to "nosniff".

--
Ticket URL: <http://trac.buildbot.net/ticket/2943>
Buildbot <http://buildbot.net/>
Buildbot: build/test automation


More information about the bugs mailing list