Comment 4 for bug 1251336
Revision history for this message
| Julian Edwards (julian-edwards) wrote Re: [Bug 1251336] Re: MaaS API is vulnerable to XSS | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
On Friday 07 Feb 2014 21:37:32 Seth Arnold wrote:
> I'm afraid these patches may not be sufficient; I believe some (most?)
> browsers perform content introspection to determine if the server-
> supplied mime type is correct. If an attacker supplies some
> <html><script> tags in their input, a real browser may happily execute
> the script contents against the server's explicit demands.
>
> If IE6 is the only browser this busted, I'm fine with this patch, but we
> should discover which browsers might ignore server-supplied mime types;
> we may need to manually escape special characters.
>
> Thanks
This broke on Firefox and I have tested that the fix works.
Chromium was always fine and not broken. Go figure :)
If you can find a browser that it does not work on, then I am happy to fix it
by escaping.