[Rt-devel] Any XSS issues?

Drew Taylor taylor.andrew.j at gmail.com
Tue Jan 13 16:58:27 EST 2009


On Thu, Jan 8, 2009 at 11:57 PM, Jesse Vincent <jesse at bestpractical.com> wrote:
>
> On Thu, Jan 08, 2009 at 11:55:08PM +0000, Drew Taylor wrote:
>> The topic of XSS vulnerability came up in an internal discussion about
>> ... This tells me that there is
>> definitely some level of XSS prevention built into RT.
>
> There certainly is.
>
>> Any gotchas I should know about?
>
> Nope. As always, we do take security issues very seriously and would

Well, we did find one gotcha though I can't strictly call it RT's
fauly. Creating tickets through the web UI does successfully escape
malicious output, but that doesn't apply to tickets created via
RT::Client::REST. Is there a way I can get REST-generated tickets to
go through the same escaping as UI-generated tickets?

Thanks,
Drew
-- 
----------------------------------------------------------------
 Drew Taylor                 *  Web development & consulting
 Email: drew at drewtaylor.com  *  Site implementation & hosting
 Web  : www.drewtaylor.com   *  perl/mod_perl/DBI/mysql/postgres
 ----------------------------------------------------------------


More information about the Rt-devel mailing list