[Rt-commit] rt branch, 4.0-trunk, updated. rt-4.0.24-26-g1704c2c

[Shawn Moore]

The branch, 4.0-trunk has been updated
       via  1704c2c7e4274999d1e720b1a7e67663b7afb8ff (commit)
       via  5d72f9ce8e88c8afcf40abf9a586b16bf63e1600 (commit)
       via  4ec786bb4743f67a35a634c1bf43b13d3d3b39a9 (commit)
      from  38f98d4f313a4c0e19b5ec517f4f6492928e455a (commit)

Summary of changes:
 share/html/NoAuth/js/util.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

- Log -----------------------------------------------------------------
commit 4ec786bb4743f67a35a634c1bf43b13d3d3b39a9
Author: Shawn M Moore <shawn at bestpractical.com>
Date:   Tue Jul 28 19:41:44 2015 +0000

    Escape principal name as we insert it into the DOM
    
    jQuery's text() setter method escapes the passed-in content. Using the original
    html() leaves us vulnerable to an XSS injection attack. This resolves
    CVE-2015-5475.

diff --git a/share/html/NoAuth/js/util.js b/share/html/NoAuth/js/util.js
index 4732226..1995db0 100644
--- a/share/html/NoAuth/js/util.js
+++ b/share/html/NoAuth/js/util.js
@@ -320,7 +320,7 @@ function toggle_addprincipal_validity(input, good, title) {
 
 function update_addprincipal_title(title) {
     var h3 = jQuery("#acl-AddPrincipal h3");
-    h3.html( h3.text().replace(/: .*$/,'') + ": " + title );
+    h3.text( h3.text().replace(/: .*$/,'') + ": " + title );
 }
 
 // when a value is selected from the autocompleter

commit 5d72f9ce8e88c8afcf40abf9a586b16bf63e1600
Merge: a0ae824 4ec786b
Author: Shawn M Moore <shawn at bestpractical.com>
Date:   Tue Jul 28 19:49:40 2015 +0000

    Merge branch 'security/4.0/rights-xss' into security/4.0.24-releng


commit 1704c2c7e4274999d1e720b1a7e67663b7afb8ff
Merge: 38f98d4 5d72f9c
Author: Shawn M Moore <shawn at bestpractical.com>
Date:   Wed Aug 12 16:02:38 2015 -0400

    Merge branch 'security/4.0.24-releng' into 4.0-trunk


-----------------------------------------------------------------------