Skip to content

Fix/xss/on favorite file #16599

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rullzer merged 2 commits into from
Jul 30, 2019
Merged

Fix/xss/on favorite file #16599

rullzer merged 2 commits into from
Jul 30, 2019

Conversation

@MaxFichtelmann
Copy link
Contributor

@MaxFichtelmann MaxFichtelmann commented Jul 29, 2019

This fixes an XSS vulnerability with low availability in files/js/tagsplugin.js.

Additionally this PR addresses a potential XSS in jscolor.js - I did not find a call path that could be exploited, but using innerHTML without sanitizing its input is unnecessarily dangerous.

@MaxFichtelmann MaxFichtelmann force-pushed the fix/xss/on-favorite-file branch from dc63597 to 4977f23 Compare July 29, 2019 16:16
@kesselb kesselb requested review from juliusknorr and rullzer July 29, 2019 20:15
@kesselb kesselb added 3. to review Waiting for reviews bug security labels Jul 29, 2019
@kesselb kesselb added this to the Nextcloud 17 milestone Jul 29, 2019
rullzer
rullzer reviewed Jul 30, 2019
View reviewed changes
rullzer
rullzer approved these changes Jul 30, 2019
View reviewed changes
Copy link
Member

@rullzer rullzer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch!

@juliusknorr
Copy link
Member

juliusknorr commented Jul 30, 2019

Failures unrelated.

@juliusknorr juliusknorr added 4. to release Ready to be released and/or waiting for tests to finish and removed 3. to review Waiting for reviews labels Jul 30, 2019
@juliusknorr
Copy link
Member

juliusknorr commented Jul 30, 2019

/backport to stable16

@juliusknorr
Copy link
Member

juliusknorr commented Jul 30, 2019

/backport to stable15

@juliusknorr
Copy link
Member

juliusknorr commented Jul 30, 2019

/backport to stable14

@rullzer rullzer merged commit 53330ce into master Jul 30, 2019
@delete-merged-branch delete-merged-branch bot deleted the fix/xss/on-favorite-file branch July 30, 2019 07:51
@welcome
Copy link

welcome bot commented Jul 30, 2019

Thanks for your first pull request and welcome to the community! Feel free to keep them coming! If you are looking for issues to tackle then have a look at this selection: https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22
Most developers hang out on IRC. So join #nextcloud-dev on Freenode for a chat!

@backportbot-nextcloud backportbot-nextcloud bot mentioned this pull request Jul 30, 2019
Merged
@backportbot-nextcloud
Copy link

backportbot-nextcloud bot commented Jul 30, 2019

backport to stable16 in #16610

@backportbot-nextcloud backportbot-nextcloud bot mentioned this pull request Jul 30, 2019
Merged
@backportbot-nextcloud
Copy link

backportbot-nextcloud bot commented Jul 30, 2019

backport to stable15 in #16611

@backportbot-nextcloud backportbot-nextcloud bot mentioned this pull request Jul 30, 2019
Merged
@backportbot-nextcloud
Copy link

backportbot-nextcloud bot commented Jul 30, 2019

backport to stable14 in #16612

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juliusknorr juliusknorr juliusknorr approved these changes

@kesselb kesselb kesselb left review comments

@rullzer rullzer rullzer approved these changes

@MorrisJobke MorrisJobke Awaiting requested review from MorrisJobke

@nickvergessen nickvergessen Awaiting requested review from nickvergessen

Assignees

No one assigned

Labels

4. to release Ready to be released and/or waiting for tests to finish bug security

Projects

None yet

Milestone

Nextcloud 17

Development

Successfully merging this pull request may close these issues.

5 participants

@MaxFichtelmann @juliusknorr @rullzer @kesselb