dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #43474
Re: [Bug 1549378] [NEW] Javascript allowed in OU names, v2.22
Is this a security risk?
On Wed, Feb 24, 2016 at 5:52 PM, Timothy Harding <tharding@xxxxxxxxxxxxxx>
wrote:
> Public bug reported:
>
> Conducting a training and just had a user pop some javascript into the
> org unit name which when the user revealed it in the org unit hierarchy
> it would fire off the javascript. I tested this in firefox, the attached
> file was the result.
>
> ** Affects: dhis2
> Importance: Undecided
> Status: New
>
> ** Attachment added: "Screen Shot 2016-02-24 at 11.38.36 AM.png"
>
> https://bugs.launchpad.net/bugs/1549378/+attachment/4580110/+files/Screen%20Shot%202016-02-24%20at%2011.38.36%20AM.png
>
> --
> You received this bug notification because you are a member of DHIS 2
> developers, which is subscribed to DHIS.
> https://bugs.launchpad.net/bugs/1549378
>
> Title:
> Javascript allowed in OU names, v2.22
>
> Status in DHIS:
> New
>
> Bug description:
> Conducting a training and just had a user pop some javascript into the
> org unit name which when the user revealed it in the org unit
> hierarchy it would fire off the javascript. I tested this in firefox,
> the attached file was the result.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help : https://help.launchpad.net/ListHelp
>
--
Knut Staring
Dept. of Informatics, University of Oslo
Norway: +4791880522
Skype: knutstar
http://dhis2.org
--
You received this bug notification because you are a member of DHIS 2
developers, which is subscribed to DHIS.
https://bugs.launchpad.net/bugs/1549378
Title:
Javascript allowed in OU names, v2.22
Status in DHIS:
New
Bug description:
Conducting a training and just had a user pop some javascript into the
org unit name which when the user revealed it in the org unit
hierarchy it would fire off the javascript. I tested this in firefox,
the attached file was the result.
To manage notifications about this bug go to:
https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions
Follow ups
References