I have a question about XSS and I don’t see answered in the archives.
I realize why RT::Interface::Web::EscapeUTF8 is called in
/Ticket/Elements/ShowMessageStanza but sometimes that looses formatting we
want either due to converting a
that is in the email, or the browser
not displaying multiple spaces. (In our case the ticket in question has a
diff in the body of the message.)What I want to know, am I opening myself up to any cross site evilness by
wrapping the call to ShowMessageStanza in ShowTransaction (see simple
patch below.)
It works the way we would like in the simple tests we’ve done, but we’re
hoping to get a wider opinion.ShowMessageHeaders already has a
before and after, so either theshould be safe, or it should be removed from there too? In theory, couldn't someone make a X-XSS-Header: with a url? This turned into a long message for what I hope is a simple question. thanks -james CUT ---8<--------------------8<----- --- ShowTransaction.old 2003-09-08 14:18:38.000000000 -0400 +++ ShowTransaction 2003-09-11 14:09:56.000000000 -0400 @@ -71,7 +71,9 @@<& ShowMessageHeaders, Headers => $headers, Transaction => $Transaction &>+
<& ShowMessageStanza, Depth => 0, Message => $quoted, Transaction =>
$Transaction &>
+