[Rt-devel] Any XSS issues?

Drew Taylor taylor.andrew.j at gmail.com
Tue Jan 13 16:58:27 EST 2009

On Thu, Jan 8, 2009 at 11:57 PM, Jesse Vincent <jesse at bestpractical.com> wrote:
> On Thu, Jan 08, 2009 at 11:55:08PM +0000, Drew Taylor wrote:
>> The topic of XSS vulnerability came up in an internal discussion about
>> ... This tells me that there is
>> definitely some level of XSS prevention built into RT.
> There certainly is.
>> Any gotchas I should know about?
> Nope. As always, we do take security issues very seriously and would

Well, we did find one gotcha though I can't strictly call it RT's
fauly. Creating tickets through the web UI does successfully escape
malicious output, but that doesn't apply to tickets created via
RT::Client::REST. Is there a way I can get REST-generated tickets to
go through the same escaping as UI-generated tickets?

 Drew Taylor                 *  Web development & consulting
 Email: drew at drewtaylor.com  *  Site implementation & hosting
 Web  : www.drewtaylor.com   *  perl/mod_perl/DBI/mysql/postgres

More information about the Rt-devel mailing list