Edgewall Software

Opened 14 years ago

Closed 14 years ago

Last modified 14 years ago

#7912 closed defect (fixed)

Milestone etc. values for ticket query filters are not escaped

Reported by: joeray123@… Owned by: Jonas Borgström
Priority: highest Milestone: 0.11.3
Component: report system Version:
Severity: normal Keywords: security
Cc: osimons Branch:
Release Notes:
API Changes:
Internal Changes:


Values that are placed into select boxes to filter queries are not escaped, meaning an XSS attack is possible.

How to reproduce

Create a milestone that has " characters in it, e.g:

'Hello "]}}; alert("test"); properties = {milestone: {options: ["'

Trac version: tested on 0.11.1 and

Attachments (0)

Change History (4)

comment:1 by osimons, 14 years ago

Keywords: security added
Milestone: 0.11.3
Priority: normalhighest

Thanks for the report. It seems we populate the various values into a JS inline script, and for some reason we enclose the option value in a set of "" quotes which basically nullifies the escape-by-default behavior.

This diff fixes the issue, and as far as I can see custom query continues to work as expected. Could someone else please confirm the fix, and is this serious enough to warrant a security release? It only affects meta-data, that very seldom can be modified by regular users. However, no doubt risks could exist depending on the setup of individual Trac sites.

  • trac/ticket/templates/query.html

    a b  
    192192        <py:for each="(field_name, field), sep in separated(fields.iteritems())">
    193193          $field_name: { type: "$field.type", label: "$field.label"
    194194          <py:if test="'options' in field">, options: [
    195             <py:for each="option, sep in separated(field.options)">"$option"$sep
     195            <py:for each="option, sep in separated(field.options)">$option$sep
    196196            </py:for>]
    197197          </py:if>}$sep
    198198        </py:for>

comment:2 by osimons, 14 years ago

Cc: osimons added

comment:3 by Jonas Borgström, 14 years ago

Resolution: fixed
Status: newclosed

Fixed in [7786] and [7788] by introducing a new javascript_quote function in text.py.

comment:4 by Christian Boos, 14 years ago

Owner: set to Jonas Borgström

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Jonas Borgström to the specified user.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.