← Back to team overview

dhis2-devs team mailing list archive

  1. dhis2-devs team
  2. Mailing list archive
  3. Message #43474

Re: [Bug 1549378] [NEW] Javascript allowed in OU names, v2.22

  Thread PreviousDate PreviousThread Next 
Is this a security risk?

On Wed, Feb 24, 2016 at 5:52 PM, Timothy Harding <tharding@xxxxxxxxxxxxxx>
wrote:

> Public bug reported:
>
> Conducting a training and just had a user pop some javascript into the
> org unit name which when the user revealed it in the org unit hierarchy
> it would fire off the javascript. I tested this in firefox, the attached
> file was the result.
>
> ** Affects: dhis2
>      Importance: Undecided
>          Status: New
>
> ** Attachment added: "Screen Shot 2016-02-24 at 11.38.36 AM.png"
>
> https://bugs.launchpad.net/bugs/1549378/+attachment/4580110/+files/Screen%20Shot%202016-02-24%20at%2011.38.36%20AM.png
>
> --
> You received this bug notification because you are a member of DHIS 2
> developers, which is subscribed to DHIS.
> https://bugs.launchpad.net/bugs/1549378
>
> Title:
>   Javascript allowed in OU names, v2.22
>
> Status in DHIS:
>   New
>
> Bug description:
>   Conducting a training and just had a user pop some javascript into the
>   org unit name which when the user revealed it in the org unit
>   hierarchy it would fire off the javascript. I tested this in firefox,
>   the attached file was the result.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>


-- 
Knut Staring
Dept. of Informatics, University of Oslo
Norway: +4791880522
Skype: knutstar
http://dhis2.org

-- 
You received this bug notification because you are a member of DHIS 2
developers, which is subscribed to DHIS.
https://bugs.launchpad.net/bugs/1549378

Title:
  Javascript allowed in OU names, v2.22

Status in DHIS:
  New

Bug description:
  Conducting a training and just had a user pop some javascript into the
  org unit name which when the user revealed it in the org unit
  hierarchy it would fire off the javascript. I tested this in firefox,
  the attached file was the result.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next