[Rt-devel] Any XSS issues?

Jesse Vincent jesse at bestpractical.com
Thu Jan 8 18:57:45 EST 2009




On Thu, Jan 08, 2009 at 11:55:08PM +0000, Drew Taylor wrote:
> Hi all,
> 
> The topic of XSS vulnerability came up in an internal discussion about
> our pending upgrade to 3.8.x. We ran across a (very) old mailing list
> post about RT 2 having XSS protections, nothing obvious since. Using
> an "xss scriplet" one of the guys dug up I posted it into the message
> box and created a new ticket. The resulting ticket displayed the
> javascript exactly as I pasted it in. This tells me that there is
> definitely some level of XSS prevention built into RT.

There certainly is.

> Any gotchas I should know about?

Nope. As always, we do take security issues very seriously and would
greatly appreciate it if you bring anything you discover to our
attention quickly and (initially) quietly to give us a chance to help RT
users mitigate issues before anyone has a chance to exploit a newly
discovered vulnerability.
> 
> Drew
> -- 
> ----------------------------------------------------------------
>  Drew Taylor                 *  Web development & consulting
>  Email: drew at drewtaylor.com  *  Site implementation & hosting
>  Web  : www.drewtaylor.com   *  perl/mod_perl/DBI/mysql/postgres
>  ----------------------------------------------------------------
> _______________________________________________
> List info: http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-devel
> 

-- 


More information about the Rt-devel mailing list