reviewboard: Fix a XSS vulnerability in the review request page (bug 1353011) r=mcote
authorbyron jones <glob@mozilla.com>
Mon, 03 Apr 2017 22:23:44 +0800
changeset 73 86cbd77aa85b6ecbdd9316fe4b3b898aa195b8b0
parent 72 12009690bcc28bf1012ce3ca26362d086deafe59
child 74 f8309a35ae8e6e99844c03a11df91d5bdb66a7c3
push id41
push userbjones@mozilla.com
push dateMon, 03 Apr 2017 14:29:42 +0000
reviewersmcote
bugs1353011
reviewboard: Fix a XSS vulnerability in the review request page (bug 1353011) r=mcote This vulnerability allowed an attacker to craft a URL that would execute JavaScript on a user's behalf. This was found and fixed by Anthony Steinhauser.
reviewboard/reviewboard/templates/reviews/review_detail.html
reviewboard/reviewboard/templates/reviews/review_detail_mozreview.html
--- a/reviewboard/reviewboard/templates/reviews/review_detail.html
+++ b/reviewboard/reviewboard/templates/reviews/review_detail.html
@@ -112,14 +112,14 @@
         );
 {%    endfor %}
 {%   endif %}
 {%  endfor %}
     });
 
 {%  if request.GET.reply_id and request.GET.reply_type %}
     RB.PageManager.ready(function(page) {
-        page.openCommentEditor("{{request.GET.reply_type}}",
-                               {{request.GET.reply_id}});
+        page.openCommentEditor("{{request.GET.reply_type|escapejs}}",
+                               parseInt("{{request.GET.reply_id|escapejs}}", 10));
     });
 {%  endif %}
 </script>
 {% endblock scripts-post %}
--- a/reviewboard/reviewboard/templates/reviews/review_detail_mozreview.html
+++ b/reviewboard/reviewboard/templates/reviews/review_detail_mozreview.html
@@ -115,14 +115,14 @@
         );
 {%    endfor %}
 {%   endif %}
 {%  endfor %}
     });
 
 {%  if request.GET.reply_id and request.GET.reply_type %}
     RB.PageManager.ready(function(page) {
-        page.openCommentEditor("{{request.GET.reply_type}}",
-                               {{request.GET.reply_id}});
+        page.openCommentEditor("{{request.GET.reply_type|escapejs}}",
+                               parseInt("{{request.GET.reply_id|escapejs}}", 10));
     });
 {%  endif %}
 </script>
 {% endblock scripts-post %}