Details
-
Bug
-
Resolution: Fixed
-
High
-
2.5.2, 2.5.4
-
None
Description
The input from "Add Labels" text box is not properly validated. There are two major flaws:
1) the string length is not validated - if string is longer than 255 characters an error message is displayed: "[41a] Error connecting to the server. The labels have not been updated."
2) the input is not properly escaped and lets html pass through - "<" and ">" are allowed characters (why?!?!?) and are not even being properly escaped - this makes is super easy to modify the DOM structure and modify the look of the site. See http://confluence.atlassian.com/display/TEST/Label+Validation+Problem for examples. Only the fact that ":" and "(" are not allowed characters makes it difficult to use this hole for an XSS exploit - but the possibility of finding a way to create a XSS exploit using this hole still exists.
Suggested fix:
1) add length validation
2) there are two ways how to fix the second issue
a) add "<" and ">" as well as "\" and "/" among forbidden characters
b) encode the string using html entities (http://www.w3schools.com/tags/ref_entities.asp)