[Rt-devel] Any XSS issues?

Drew Taylor taylor.andrew.j at gmail.com
Thu Jan 8 18:55:08 EST 2009

Hi all,

The topic of XSS vulnerability came up in an internal discussion about
our pending upgrade to 3.8.x. We ran across a (very) old mailing list
post about RT 2 having XSS protections, nothing obvious since. Using
an "xss scriplet" one of the guys dug up I posted it into the message
box and created a new ticket. The resulting ticket displayed the
javascript exactly as I pasted it in. This tells me that there is
definitely some level of XSS prevention built into RT.

Any gotchas I should know about?

 Drew Taylor                 *  Web development & consulting
 Email: drew at drewtaylor.com  *  Site implementation & hosting
 Web  : www.drewtaylor.com   *  perl/mod_perl/DBI/mysql/postgres

More information about the Rt-devel mailing list