URL auto-linking linkifies data: URLs
Bug #1021129 reported by
William Grant
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Fix Released
|
Critical
|
Curtis Hovey | ||
Bug Description
Bug #276726 asked that data: URLs be linkified, and it was made so. But the bug was misguided; data: links, at least in Firefox, execute within the origin of the page that contains them. So you can XSS nicely by providing a data:text/
Related branches
lp:~sinzui/launchpad/frou-frou-foxes
(Merged)
| Changed in launchpad: | |
| assignee: | nobody → Curtis Hovey (sinzui) |
| status: | Triaged → In Progress |
Revision history for this message
| Launchpad QA Bot (lpqabot) wrote | #1 |
| tags: | added: qa-needstesting |
| Changed in launchpad: | |
| status: | In Progress → Fix Committed |
Revision history for this message
| Curtis Hovey (sinzui) wrote | #2 |
| Changed in launchpad: | |
| status: | Fix Committed → In Progress |
| tags: |
added: qa-ok removed: qa-needstesting |
Revision history for this message
| William Grant (wgrant) wrote | #3 |
Revision history for this message
| Launchpad QA Bot (lpqabot) wrote | #4 |
| tags: |
added: qa-needstesting removed: qa-ok |
| Changed in launchpad: | |
| status: | In Progress → Fix Committed |
| tags: |
added: qa-ok removed: qa-needstesting |
| Changed in launchpad: | |
| status: | Fix Committed → Fix Released |
| visibility: | private → public |
| tags: | added: disclosure |
To post a comment you must log in.
Fixed in stable r15581 <http://