launchpad-reviewers team mailing list archive

Thread
Date

Re: [Merge] lp:~abentley/launchpad/view-flags into lp:launchpad

To: Aaron Bentley <aaron@xxxxxxxxxxxxx>
From: Gavin Panella <gavin.panella@xxxxxxxxxxxxx>
Date: Thu, 17 Nov 2011 17:43:26 -0000
In-reply-to: <20111117172419.25520.16112.launchpad@ackee.canonical.com>
Reply-to: mp+82570@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

[1]

+        var chunks = ['<span class="beta-feature"> ', info.title];
+        if (info.url.length > 0) {
+            chunks.push(' (<a href="', info.url, '" class="info-link">',
+                'read more</a>)');
+        }
+        chunks.push('</span>');
+        notifications.push(Y.Node.create(chunks.join('')));

This is XSS territory. This must be done something like:

  var node = Y.Node.create(
      '<span class="beta-feature"><a class="info-link"></a></span>');
  node.set("text", info.title);
  node.one("a").set("href", info.url);

Obviously that's not the whole story, but string concatenation is
going to get you in a lot of trouble.


... Review in progress ...

-- 
https://code.launchpad.net/~abentley/launchpad/view-flags/+merge/82570
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~abentley/launchpad/view-flags into lp:launchpad.

References

[Merge] lp:~abentley/launchpad/view-flags into lp:launchpad
From: Aaron Bentley, 2011-11-17